Provide service to disable Firefox DNS of HTTPS which threatens all DNS Filter users
launched
System
Firefox is planning to enable DNS over HTTPS soon. This will prevent services like DNS Filter from working, as well as affecting corporate split-DNS environments. (https://support.mozilla.org/en-US/kb/firefox-dns-over-https)
Mozilla provides a way to disable this feature using a DNS query, however it is so convoluted to implement that it's effectively not possible without major changes to internal DNS servers.
It is not possible to implement on older (but still supported) Windows DNS servers. (https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https)
My suggestion is for DNS Filter to provide a service that allows customers to forward requests to the use-application-dns.net domain to receive the NXDOMAIN result, which would make it easy to apply this setting on any network.
Mikey @DNSFilter
launched
Firefox DoH fix is implemented.
Net Results
Ouch. Is my reading of this correct? The user preference for 'always use DoH' will be honored
even
if the convoluted canary is implemented? So the user gets to choose to bypass internal network DNS filtering and potentially leak/break internal split DNS? Its like Mozilla wants their product blocked on enterprise installs. System
Net Results: You are correct in your reading of this. I believe you can override the user preference if you have Group Policies setup to control Firefox.