I’ve set up DHCP to distribute IPFire’s IP-address as DNS servers. Additionally, I’ve set up a custom firewall (not in GUI) to redirect all DNS requests to port 53 and 853 directly to IPFire. Basically this prevents DNS spoofing, at least it should and should force IP as the primary and only DNS server. Tests with Windows clients showed that this works as expected - so far.
Now, when Firefox turns on DoH, do you expect my setup will still work? I guess so, but I’m not sure at all. What do you think?
I suppose that you will have to find out which servers Firefox contacts and block those IP addresses. You will simply see traffic on Port 443. It is standard HTTPS. Blocking it will be hard.
Firefox here do have under ‘network.trr.resolvers’ [{ "name": "Cloudflare", "url": "https://mozilla.cloudflare-dns.com/dns-query" },{ "name": "NextDNS", "url": "https://trr.dns.nextdns.io/" }]
configured.
To disable DoH, you can set the value ‘5’ for ‘network.trr.mode’ .
Another thing in FF which left me speechless was an activated ‘WebRTC’ after an update which spreads the local IP through out the internet (i should better read every changelog ) --> https://forum.ipfire.org/viewtopic.php?f=27&t=23416 .
Well, I think we should consider that IPFire always blocks this, because clearly people who run IPFire probably want to use the resolver inside it and not DoH.
@bbitsch,
Guess you are talking about Firefox bypassing the DNS, right? If so full acknowledge!
The admin should have control about what happens in its LAN and not any 3rd party software.
Unfortunately, I can only manually set up FF to not use this new “feature” by setting “network.trr.mode” to value=5 as Erik already suggested. There is no GPO (Group Policy) right now to configure each FF installation by remote.
Best way is to force the user to use a proxy (not trasparent). In this case the proxy do the dns resolve and not firefox.
I think this is the reason why corporate networks doesn’t really care this yet.
) -->