Disabling DNS-Over-Https(DOH) in Firefox network wide

Without the Domain Name System(DNS) the internet would not be what it is today. DNS maps a physical address to a remember-able address. For example if there was not a protocol for mapping the physical address to remember-able address, you would need to know 161.170.230.170 vs. Walmart.com

DNS was designed and implemented in a time that privacy and security was not a high priority. For the most part the original specs of DNS is still in use today. Your computer will ask another computer where Walmart.com can be found. The computer talks to each other in a language that anyone can ease drop on the conversation. There are several problems with this in today's society. Your Internet Service Provider(ISP) likes to watch what sites you visit and sell that information to third parties. If you are at Starbucks, it will allow others on the same network to collect information about you that could be used against you or help them phish you.

The future of DNS

A few companies have been working on this privacy issues that come with the traditional DNS system. There has been a few systems that have been designed but DNS over HTTPS as of right now is the winning system. Chrome and Firefox both implement it, along with Android systems.

Why disable DOH?

There are a few valid arguments that should be considered on why you may want to block DOH.

  • You administer a business network that uses a DNS system that gives different answers if you are local versus at Starbucks.
  • You use parental controls, malware protection software that will not work with the current setup of DOH.
  • You like your ISP to sell your information about you

Why Just Firefox?

Firefox will default to DOH by default in all instances and ignore your system DNS settings. Chrome will only use DOH if your system DNS systems points to a DNS system that supports DOH. In a business environment your DNS will most likely point to a domain controller. I will update this post describing on how to disable Chrome.

Canary Domain

In order to disable DOH in Firefox you need to update your DNS server to not answer to the query of use-application-dns.net. If the domain does not return an A or AAA record or returns NXDomain it will consider false and will not use DOH.

There will be several ways that you can do this. On a Windows server you can create a Forward Lookup Zone that does not list any A or AAA records.