[dns-operations] use-application-dns.net

Lee ler762 at gmail.com
Mon Sep 9 16:17:30 UTC 2019 

On 9/9/19, Thomas Mieslinger <miesi at mail.com> wrote:
> Hi,
>
> I run an enterprise DNS and without implementing the
> use-application-dns.net hack my ~3000 internal services become
> unavailable to my ~10000 internal users. Unfortunately uninstalling
> Firefox on ~10000 workstations is not feasible.
>
> after reading
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> I recognized that requiring a NXDOMAIN reply is somewhat complicated:

rpz if you're using bind

- named.conf additions
options {
  response-policy { zone "rpz.mozilla"; } break-dnssec yes
recursive-only no  qname-wait-recurse no;
};

zone "rpz.mozilla" in { type master; notify no; file "/etc/bind/db.mozilla"; };
    # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
    # Network administrators may configure their networks as follows
to signal that their
    # local DNS resolver implemented special features that make the
network unsuitable
    # for DoH:  DNS queries for the A and AAAA records for the domain
    # use-application-dns.net must respond with NXDOMAIN rather than
the IP address
    # retrieved from the authoritative nameserver.
    # The domain “use-application-dns.net” is referred to as a “canary domain”.


$ cat db.mozilla
$ORIGIN rpz.mozilla.
; https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
;   return NXDOMAIN for “use-application-dns.net” name lookup

@       IN      SOA     localhost.  admin.home.net. (
                        2019090900 ; Serial
                        6h      ; Refresh
                        15      ; Retry
                        1d      ; Expire
                        1m )    ; Minimum
        IN      NS      localhost.

;  tell Firefox to not use DOH (dns over https)
use-application-dns.net CNAME   .
; --- end ---


$ dig use-application-dns.net

; <<>> DiG 9.11.5-P4-5~bpo9+1-Debian <<>> use-application-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21548
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 20c360aac9ec84d69ac35f545d767a546abdc8794d2a8089 (good)
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; ADDITIONAL SECTION:
rpz.mozilla.            60      IN      SOA     localhost.
admin.home.net. 2019090900 21600 15 86400 60

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 09 12:14:12 EDT 2019
;; MSG SIZE  rcvd: 147

Regards,
Lee

More information about the dns-operations mailing list