Using Response Policy Zones to disable Mozilla DoH-by-default

  • Updated on Sep 9, 2019
  • Published on Sep 9, 2019
  • 1 minute(s) read
  • Ondrej Sury

Mozilla has announced that they will enable DNS-over-HTTPS for all US-based users, sending all their DNS queries to predefined DoH providers (CloudFlare 1.1.1.1 service is currently the DoH server of choice). This concerns some network administrators who don't want to see their users' DNS queries being rerouted unexpectedly. Fortunately, there's a simple built-in mechanism to disable the DoH-by-default setting: the Mozilla-owned domain use-application-dns.net has to return an NXDOMAIN response code for both A and AAAA queries.

In this article, we'll show you how to accomplish such a feat in a few simple steps, using a BIND 9 feature called Response Policy Zones:

  1. First, we create a new local zone file called mozilla.rpz.db with a single record that will cause BIND 9 to return NXDOMAIN for any use-application-dns.net query:
$TTL	604800
$ORIGIN	mozilla.rpz.
@	IN	SOA	localhost. root.localhost. (1 604800 86400 2419200 604800 )
@	IN	NS	localhost.
use-application-dns.net CNAME .
  1. Then, we add the zone into the BIND configuration (usually named.conf):
zone mozilla.rpz {
    type master;
    file "/<PATH_TO>/mozilla.rpz.db";
    allow-query { localhost; };
};
  1. Finally, we enable usage of the Response Policy Zone for all incoming queries that BIND 9 receives by adding the response-policy directive into the options {} section:
options {
	response-policy { zone mozilla.rpz; } break-dnssec yes;
};
  1. Then we reload the configuration and test whether the Response Policy Zone we have just added is in effect:
# rndc reload
# dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
# dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>

The response should return NXDOMAIN instead of the list of IP addresses and the BIND 9 log should contain lines like this:

09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz

Please note that this is the simplest possible configuration and your specific configuration might be different, especially if you are already using Response Policy Zones or you use views.