[dns-operations] use-application-dns.net

Mon Sep 9 15:58:11 UTC 2019

Hi Thomas,

it’s possible to do this with RPZ in BIND (and possibly others), we will put up a KB article for that, but meanwhile you can try doing following...

add this to named.conf:

response-policy { zone rpz; };
zone rpz {
    type master;
    file "rpz.db";
};

and rpz.db should be something like this:

$TTL	604800
rpz.	IN	SOA	localhost. root.localhost. (1 604800 86400 2419200 604800 )
rpz.	IN	NS	localhost.
use-application-dns.net.rpz. CNAME .

(DISCLAIMER: There might be typos in there somewhere…  I’ll post the link to the KB article with step-by-step howto later today)

Ondrej
--
Ondřej Surý
ondrej at sury.org

> On 9 Sep 2019, at 12:50, Thomas Mieslinger <miesi at mail.com> wrote:
> 
> Hi,
> 
> I run an enterprise DNS and without implementing the
> use-application-dns.net hack my ~3000 internal services become
> unavailable to my ~10000 internal users. Unfortunately uninstalling
> Firefox on ~10000 workstations is not feasible.
> 
> after reading
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> I recognized that requiring a NXDOMAIN reply is somewhat complicated:
> 
> - If I point use-application-dns.net to a Nameserver where the zone is
> not loaded, a REFUSED will be replied
> 
> - If I point use-application-dns.net to Nameserver where a zone file
> for use-application-dns.net is loaded, but no A or AAAA existing zone
> file at the apex, a reply with the SOA and state NOERROR will constructed.
> 
> - If I point use-application-dns.net to Nameserver where a zone file
> for use-application-dns.net is loaded but the zone-file is broken, a
> SERVFAIL will be returned.
> 
> Is there any documentation how the mozilla guys did it with which
> recursive/authoritative Software?
> 
> Best
> 
> Thomas
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations