From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: Should we block DoH by default? Date: Tue, 03 Mar 2020 18:32:00 +0000 Message-ID: <1d0ca483-76bf-9588-a836-4344e5c14342@ipfire.org> In-Reply-To: <596BD1FF-1BCB-4184-A92C-86F19E6104FD@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2070572575433270458==" List-Id: --===============2070572575433270458== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. I like your suggestion, and see something like "reject any client connecting to any other DNS server on the internet" similar to blocking outbound connections to port 25 in order to prevent spamming. In both cases and for most SOHO networks, there is little legitimate reason to do so. Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware. What do we do about any other DoH server on the internet? I guess filtering these is hopeless, as censorship circumvention is one of its design goals, but at least a user has to configure one of these him- or herself. We have a couple of switches on the firewall options CGI already, so I expect users to be confused where to find switches for DNS and for firewall stuff, as this matter is something in between. Thanks, and best regards, Peter M=C3=BCller > Thank you everyone for this lively discussion. >=20 > So I guess just blocking isn=E2=80=99t acceptable for everyone. >=20 > What we could do instead is adding a checkbox to the new DNS settings secti= on and call it =E2=80=9CEnforce using IPFire as DNS resolver=E2=80=9D. >=20 > That could then activate the following: >=20 > * Filter the domain name that Firefox uses to auto-enable DoH (*) >=20 > * Reject any client connecting to any other DNS server on the internet >=20 > Then, the only way to get DNS is to use the IPFire resolver. How is that? >=20 > -Michael >=20 > (*) I have absolutely no idea what they were thinking to entirely throw DHC= P out of the window and decide that they can configure clients. That is an ab= solute no go. I think Mozilla opened a very very bad can of worms here and th= ere is no chance to put the lid back on. I find this absolutely ridiculous wh= at we are considering doing, but Mozilla clearly had other priorities. I do g= et the idea of it, that everyone has access to a free internet, but that is a= lready the case on my network. I have a DNS resolver that does things for me = that I want, and they are simply breaking common practise here. And that not = even for all users, but only for a random selection. And on top of all of thi= s they partnered up with Cloudflare after self-hosting everything for privacy= reasons for years. Absolute bollocks. >=20 --===============2070572575433270458==--