From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernhard Bitsch To: development@lists.ipfire.org Subject: Aw: Should we block DoH by default? Date: Tue, 03 Mar 2020 13:55:22 +0100 Message-ID: In-Reply-To: <83D08EF2-A2BC-4759-9F69-E42BADBDA3C9@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1814679011696658689==" List-Id: --===============1814679011696658689== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > Gesendet: Dienstag, 03. M=C3=A4rz 2020 um 12:47 Uhr > Von: "Michael Tremer" > An: "IPFire: Development-List" > Betreff: Should we block DoH by default? > > Hello, >=20 > A post on the community portal has raised my attention today: >=20 > https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1= 466/3 >=20 > The author links an article that explains how Firefox decides to enable DoH. >=20 > I do not want DoH. I do not like it. Mozilla is doing something really real= ly bad here. >=20 > We could consider always blocking this domain and always return NXDOMAIN or= something else that falls into the =E2=80=9Cnegative=E2=80=9D category. >=20 > That way we can guarantee (at least for now) that Firefox users will still = use the IPFire resolver. >=20 > Would anybody be against this? >=20 No, on the contrary. If we build with much effort an evironment, that does DNS secoure and with mi= nimal overhead in "spying" ( see the excellent blog article by Michael ), DoH= would be contraproductive. - Bernhard > -Michael --===============1814679011696658689==--