[dns-operations] use-application-dns.net

Thomas Mieslinger miesi at mail.com
Mon Sep 9 10:50:32 UTC 2019


Hi,

I run an enterprise DNS and without implementing the
use-application-dns.net hack my ~3000 internal services become
unavailable to my ~10000 internal users. Unfortunately uninstalling
Firefox on ~10000 workstations is not feasible.

after reading
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
I recognized that requiring a NXDOMAIN reply is somewhat complicated:

- If I point use-application-dns.net to a Nameserver where the zone is
not loaded, a REFUSED will be replied

- If I point use-application-dns.net to Nameserver where a zone file
for use-application-dns.net is loaded, but no A or AAAA existing zone
file at the apex, a reply with the SOA and state NOERROR will constructed.

- If I point use-application-dns.net to Nameserver where a zone file
for use-application-dns.net is loaded but the zone-file is broken, a
SERVFAIL will be returned.

Is there any documentation how the mozilla guys did it with which
recursive/authoritative Software?

Best

Thomas



More information about the dns-operations mailing list