Mozilla has announced that they will enable DNS-over-HTTPS for all US-based users, sending all their DNS queries to predefined DoH providers (CloudFlare 1.1.1.1 service is currently the DoH server of choice). This concerns some network administrators who don't want to see their users' DNS queries being rerouted unexpectedly. Fortunately, there's a simple built-in mechanism to disable the DoH-by-default setting: the Mozilla-owned domain use-application-dns.net has to return an NXDOMAIN
response code for both A
and AAAA
queries.
In this article, we'll show you how to accomplish such a feat in a few simple steps, using a BIND 9 feature called Response Policy Zones:
- First, we create a new local zone file called
mozilla.rpz.db
with a single record that will cause BIND 9 to return NXDOMAIN for anyuse-application-dns.net
query:
$TTL 604800
$ORIGIN mozilla.rpz.
@ IN SOA localhost. root.localhost. (1 604800 86400 2419200 604800 )
@ IN NS localhost.
use-application-dns.net CNAME .
- Then, we add the zone into the BIND configuration (usually
named.conf
):
zone mozilla.rpz {
type master;
file "/<PATH_TO>/mozilla.rpz.db";
allow-query { localhost; };
};
- Finally, we enable usage of the Response Policy Zone for all incoming queries that BIND 9 receives by adding the
response-policy
directive into theoptions {}
section:
options {
response-policy { zone mozilla.rpz; } break-dnssec yes;
};
- Then we reload the configuration and test whether the Response Policy Zone we have just added is in effect:
# rndc reload
# dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
# dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
The response should return NXDOMAIN
instead of the list of IP addresses and the BIND 9 log should contain lines like this:
09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
Please note that this is the simplest possible configuration and your specific configuration might be different, especially if you are already using Response Policy Zones or you use views.