Using Response Policy Zones to disable Mozilla DoH-by-default
- 09 Sep 2019
- 1 Minute to read
-
Contributors
-
Print
-
DarkLight
-
PDF
Using Response Policy Zones to disable Mozilla DoH-by-default
- Updated on 09 Sep 2019
- 1 Minute to read
-
Contributors
-
Print
-
DarkLight
-
PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Mozilla has announced that they will enable DNS-over-HTTPS for all US-based users, sending all their DNS queries to predefined DoH providers (CloudFlare 1.1.1.1 service is currently the DoH server of choice). This concerns some network administrators who don't want to see their users' DNS queries being rerouted unexpectedly. Fortunately, there's a simple built-in mechanism to disable the DoH-by-default setting: the Mozilla-owned domain use-application-dns.net has to return an NXDOMAIN response code for both A and AAAA queries.
In this article, we'll show you how to accomplish such a feat in a few simple steps, using a BIND 9 feature called Response Policy Zones:
- First, we create a new local zone file called
mozilla.rpz.dbwith a single record that will cause BIND 9 to return NXDOMAIN for anyuse-application-dns.netquery:
$TTL 604800
$ORIGIN mozilla.rpz.
@ IN SOA localhost. root.localhost. (1 604800 86400 2419200 604800 )
@ IN NS localhost.
use-application-dns.net CNAME .
- Then, we add the zone into the BIND configuration (usually
named.conf):
zone mozilla.rpz {
type master;
file "/<PATH_TO>/mozilla.rpz.db";
allow-query { localhost; };
};
- Finally, we enable usage of the Response Policy Zone for all incoming queries that BIND 9 receives by adding the
response-policydirective into theoptions {}section:
options {
response-policy { zone mozilla.rpz; } break-dnssec yes;
};
- Then we reload the configuration and test whether the Response Policy Zone we have just added is in effect:
# rndc reload
# dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
# dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
The response should return NXDOMAIN instead of the list of IP addresses and the BIND 9 log should contain lines like this:
09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
Please note that this is the simplest possible configuration and your specific configuration might be different, especially if you are already using Response Policy Zones or you use views.