Configure networks to disable DNS over HTTPS

At Mozilla, we believe that [https://support.mozilla.org/en-US/kb/firefox-dns-over-https| DNS over HTTPS (DoH)] is a feature that everyone should use to enhance their privacy. By encrypting these DNS requests, DoH hides your browsing data from anyone on the network path between the you and your nameserver. For instance, using standard DNS queries on a public network can potentially disclose every website you visit to other users on the network as well as the network operator. While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely: *Networks that have implemented some sort of filtering via the default DNS resolver. This is typically used to implement parental controls and to block access to malicious websites. *Networks that respond to names that are private, and/or that provide different responses than are provided publicly. For example, a company may only expose the address of an application used by employees on their internal network. Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users. This will first happen for users in the United States in the Fall of 2019. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored. Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH: DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver. The domain “use-application-dns.net” is referred to as a “canary domain”. Some existing DNS filtering providers already implement similar domains for users to verify that filtering is working. This new domain is different because it is meant to be implemented across many filtering solutions, and also checked by software such as Firefox, rather than checked explicitly by the user. This mechanism was created by Mozilla as an interim measure until a more permanent Internet standard for signaling the presence of DNS-based content filtering can be approved. In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the “DoH always” preference as mentioned above. The additional checks that will be performed for content filtering are: *Resolve canary domains of certain known DNS providers to detect content filtering *Resolve the “safe-search” variants of google.com and youtube.com to determine if the network redirects to them *On Windows and macOS, detect parental controls enabled in the operating system The additional checks that will be performed for private “enterprise” networks are: *Is the Firefox security.enterprise_roots.enabled preference set to “true”? *Is any [https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/manage-settings-policy| enterprise policy] configured?

At Mozilla, we believe that DNS over HTTPS (DoH) is a feature that everyone should use to enhance their privacy. By encrypting these DNS requests, DoH hides your browsing data from anyone on the network path between the you and your nameserver. For instance, using standard DNS queries on a public network can potentially disclose every website you visit to other users on the network as well as the network operator.

While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

• Networks that have implemented some sort of filtering via the default DNS resolver. This is typically used to implement parental controls and to block access to malicious websites.
• Networks that respond to names that are private, and/or that provide different responses than are provided publicly. For example, a company may only expose the address of an application used by employees on their internal network.

Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users. This will first happen for users in the United States in the Fall of 2019. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH:

DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver.

The domain “use-application-dns.net” is referred to as a “canary domain”. Some existing DNS filtering providers already implement similar domains for users to verify that filtering is working. This new domain is different because it is meant to be implemented across many filtering solutions, and also checked by software such as Firefox, rather than checked explicitly by the user. This mechanism was created by Mozilla as an interim measure until a more permanent Internet standard for signaling the presence of DNS-based content filtering can be approved.

In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the “DoH always” preference as mentioned above.

The additional checks that will be performed for content filtering are:

• Resolve canary domains of certain known DNS providers to detect content filtering
• Resolve the “safe-search” variants of google.com and youtube.com to determine if the network redirects to them
• On Windows and macOS, detect parental controls enabled in the operating system

The additional checks that will be performed for private “enterprise” networks are:

• Is the Firefox security.enterprise_roots.enabled preference set to “true”?
• Is any enterprise policy configured?