2020-02-27 - News - Tony Finch
The latest release of Firefox enables DoH (encrypted DNS-over-HTTPS) by default for users in the USA, with DNS provided by Cloudflare. This has triggered some discussion and questions, so here's a reminder of what we have done with DoH.
Precautionary block
Since September we have blocked use-application-dns.net, which tells
Firefox not to use DoH by default. This is not strictly necessary,
since Firefox does not plan to enable DoH for users in the EU and UK,
but we set up the block when the Firefox policy seemed to be much more
gung-ho, and we have left it in place.
We explained the reasons for blocking use-application-dns.net
on our DNS blog when the block was set up in September. It's a tricky
balance of several desirable but conflicting goals, and the outcome is
not so great - see the blog for the gory details.
DoH for crypto nuts
Despite that, we are in favour of encrypted DNS and it has been supported on the University's central resolvers for well over a year.
We have instructions for setting up encrypted DNS lookups with Firefox and various DNS resolvers. As a bonus you can also enable encrypted server name indication (ESNI) to reduce information leaks during TLS connection setup.
The main caveat is that our resolvers are only available for use on the CUDN, so you will not be able to use this setup on highly mobile devices.
Other CUDN DNS servers
If you run your own DNS resolvers, there's no particular need to do anything about Firefox and DoH at this time.
If your resolvers forward queries to our central resolvers, then
use-application-dns.net will already be blocked for you. If your
server is set up as a stealth secondary, then the sample.named.conf
guide includes instructions for subscribing to our DNS RPZ
blocks.
Otherwise, it's still OK to leave things as they are, because Firefox is not doing DoH by default for us. (yet?)