[dns-operations] use-application-dns.net

Ondřej Surý ondrej at sury.org
Mon Sep 9 17:13:14 UTC 2019 

And here’s the KB article on the subject:

https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default

Feel free to contact ISC if anything is not clear.

Ondrej
--
Ondřej Surý
ondrej at sury.org



> On 9 Sep 2019, at 17:58, Ondřej Surý <ondrej at sury.org> wrote:
> 
> Hi Thomas,
> 
> it’s possible to do this with RPZ in BIND (and possibly others), we will put up a KB article for that, but meanwhile you can try doing following...
> 
> add this to named.conf:
> 
> response-policy { zone rpz; };
> zone rpz {
>    type master;
>    file "rpz.db";
> };
> 
> and rpz.db should be something like this:
> 
> $TTL	604800
> rpz.	IN	SOA	localhost. root.localhost. (1 604800 86400 2419200 604800 )
> rpz.	IN	NS	localhost.
> use-application-dns.net.rpz. CNAME .
> 
> (DISCLAIMER: There might be typos in there somewhere…  I’ll post the link to the KB article with step-by-step howto later today)
> 
> Ondrej
> --
> Ondřej Surý
> ondrej at sury.org
> 
> 
> 
>> On 9 Sep 2019, at 12:50, Thomas Mieslinger <miesi at mail.com> wrote:
>> 
>> Hi,
>> 
>> I run an enterprise DNS and without implementing the
>> use-application-dns.net hack my ~3000 internal services become
>> unavailable to my ~10000 internal users. Unfortunately uninstalling
>> Firefox on ~10000 workstations is not feasible.
>> 
>> after reading
>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
>> I recognized that requiring a NXDOMAIN reply is somewhat complicated:
>> 
>> - If I point use-application-dns.net to a Nameserver where the zone is
>> not loaded, a REFUSED will be replied
>> 
>> - If I point use-application-dns.net to Nameserver where a zone file
>> for use-application-dns.net is loaded, but no A or AAAA existing zone
>> file at the apex, a reply with the SOA and state NOERROR will constructed.
>> 
>> - If I point use-application-dns.net to Nameserver where a zone file
>> for use-application-dns.net is loaded but the zone-file is broken, a
>> SERVFAIL will be returned.
>> 
>> Is there any documentation how the mozilla guys did it with which
>> recursive/authoritative Software?
>> 
>> Best
>> 
>> Thomas
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list