[dns-operations] use-application-dns.net

Paul Vixie paul at redbarn.org
Mon Sep 9 20:42:55 UTC 2019 

On Monday, 9 September 2019 10:50:32 UTC Thomas Mieslinger wrote:
> Hi,
> 
> I run an enterprise DNS and without implementing the
> use-application-dns.net hack my ~3000 internal services become
> unavailable to my ~10000 internal users. Unfortunately uninstalling
> Firefox on ~10000 workstations is not feasible.
> 
> after reading
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-h
> ttps I recognized that requiring a NXDOMAIN reply is somewhat complicated:
> 
> ...

i run RPZ. (i also helped design it -- see https://dnsrpz.info/). here's how i 
handled this particular opt-out requirement from this particular data addict, 
which is likely similar to what i'll do for the rest of the data addicts who 
will follow a similar path for their browsers but will each have their own 
canary domain for $excuses.

all of my recursive name servers are configured to pull a private RPZ from my 
security operations virtual machine. this is a DNS secondary relationship, so 
it is instantaneous (due to NOTIFY), incremental (due to IXFR), and authentic 
(due to TSIG). so, i visited the primary master server for my personal RPZ 
zone and added this text:

> ; blacklisted per mozilla DoH, 2019-09-09
> ;
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> use-application-dns.net         CNAME   .

in RPZ parlance, this means "if you get this QNAME, lie by sending back 
NXDOMAIN". note, i also changed the serial number (from 110 to 111).

then i used the reload command to tell BIND9 to reload that zone. a few 
seconds later, all of my recursive name servers were operating from the new 
response policy. i tested beforehand (with dig) and got real addresses for 
that canary domain, and i tested afterward and saw this:

> ; <<>> DiG 9.11.2-P1 <<>> use-application-dns.net a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34819
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 125298e73a96df8660531aac5d76b8696342c2e016ca4b80 (good)
> ;; QUESTION SECTION:
> ;use-application-dns.net.       IN      A

> ;; ADDITIONAL SECTION:
> dns-policy.vix.com.     30      IN      SOA     util.redbarn.org. \
>     hostmaster.vix.su. 111 3600 1800 604800 30
> ;; Query time: 206 msec
> ;; SERVER: 2001:559:8000:cd::4#53(2001:559:8000:cd::4)
> ;; WHEN: Mon Sep 09 20:39:05 UTC 2019
> ;; MSG SIZE  rcvd: 167

RPZ is free for all use commercial or otherwise, is in BIND9 and powerdns, and 
is coming shortly to Unbound. all the cool kids are using it.

it's my view that every network should operate its own RDNS servers, that 
every unregulated (private) network should block off-net DNS requests except 
those coming from their own servers, and should operate a network-wide RPZ so 
that they can instantaneously distribute response policy changes such as this.

-- 
Paul

More information about the dns-operations mailing list