Support for returning nxdomain for use-application-dns.net to disable Firefox DoH

As can be seen in the documentation below, when Firefox starts rolling out DoH they will check the domain use-application-dns.net as a Canary domain to check whether to disable DoH.

This would be really useful to have implemented as an option into Pi-Hole so we can have filtering still work in the future.

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Thank you for your suggestion, which we have already discussed internally a bit.

We might want to add this feature as Mozilla specifies (in the document you quote):

Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH:

DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver.

This seems to be the case with Pi-hole. We’re discussing how the implementation should look like. I’ll come back to you here at some point.

2 Likes

Proposed implementation

3 Likes

@AKTheKnight good finding, thanks for the request.

Put it in a new file like 99-extra-pihole.conf in /etc/dnsmasq.d/ so that it won’t be deleted on the next update.

Thanks for Mcat12 to point to this overwriting.

You may want to remove it when we merge

Thank you, this Firefox change was about to obliterate all my parental controls. Disabling DoH at my Pi is ideal.

I’m a bit confused what they say

This will first happen for users in the United States in the Fall of 2019. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored. (quoting from the link @AKTheKnight shared in the first post of this discussion).

the signal from the network and Fall of 2019 makes me a bit nervous.

So Mozilla is able to remote control some(/several/all?) Firefox core settings with some broadcast signals? Or does this only apply to those who have enabled Studies ? If so, then it would probably reach only a minority of people as I seem to recall that studies are an opt-in feature.

However, we had this major Firefox issue some while ago where addons didn’t work any more. Mozilla’s solution was to tell people to enable studies so they can import a fix. I believe many followed guides on the web how to enable studies to get their issue fixed and never looked at it again. It wouldn’t surprise me if this move would have increased the studies coverage from like 0.1% to 25% (these numbers are purely fictional).

The “signal from the network” sounds like the NXDOMAIN reply for [use-application-dns.net].

This is going to be a nightmare.

Thanks and I have added it now to Unbound so that on a update of Pi-hole there will be no conflict between the config files.

Using Unbound the line is:

local-zone: "use-application-dns.net" always_nxdomain

I also saw some Regex work done by an user on Unbound also going to use a Database as source. Doing 15000 request a second which is awesome.

The next Pi-hole is much more advanced than what I saw and speed I have no idea about.