Re: Should we block DoH by default?

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2304 bytes --]

Hello Michael,

thanks for your reply.

I like your suggestion, and see something like "reject any client
connecting to any other DNS server on the internet" similar to blocking
outbound connections to port 25 in order to prevent spamming.

In both cases and for most SOHO networks, there is little legitimate
reason to do so. Regarding external DNS servers, IoT and similar things
come to my mind, which have their resolvers hard-coded in the firmware.

What do we do about any other DoH server on the internet? I guess filtering
these is hopeless, as censorship circumvention is one of its design goals,
but at least a user has to configure one of these him- or herself.

We have a couple of switches on the firewall options CGI already, so
I expect users to be confused where to find switches for DNS and for
firewall stuff, as this matter is something in between.

Thanks, and best regards,
Peter Müller


> Thank you everyone for this lively discussion.
> 
> So I guess just blocking isn’t acceptable for everyone.
> 
> What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
> 
> That could then activate the following:
> 
> * Filter the domain name that Firefox uses to auto-enable DoH (*)
> 
> * Reject any client connecting to any other DNS server on the internet
> 
> Then, the only way to get DNS is to use the IPFire resolver. How is that?
> 
> -Michael
> 
> (*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.
>