From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <Bernhard.Bitsch@gmx.de>
To: development@lists.ipfire.org
Subject: Aw: Should we block DoH by default?
Date: Tue, 03 Mar 2020 13:55:22 +0100
Message-ID:
 <trinity-c376d19e-d1d8-43c8-9f5b-be9ea9dce4fb-1583240122792@3c-app-gmx-bap45>
In-Reply-To: <83D08EF2-A2BC-4759-9F69-E42BADBDA3C9@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1814679011696658689=="
List-Id: <development.lists.ipfire.org>

--===============1814679011696658689==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> Gesendet: Dienstag, 03. M=C3=A4rz 2020 um 12:47 Uhr
> Von: "Michael Tremer" <michael.tremer(a)ipfire.org>
> An: "IPFire: Development-List" <development(a)lists.ipfire.org>
> Betreff: Should we block DoH by default?
>
> Hello,
>=20
> A post on the community portal has raised my attention today:
>=20
>   https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1=
466/3
>=20
> The author links an article that explains how Firefox decides to enable DoH.
>=20
> I do not want DoH. I do not like it. Mozilla is doing something really real=
ly bad here.
>=20
> We could consider always blocking this domain and always return NXDOMAIN or=
 something else that falls into the =E2=80=9Cnegative=E2=80=9D category.
>=20
> That way we can guarantee (at least for now) that Firefox users will still =
use the IPFire resolver.
>=20
> Would anybody be against this?
>=20

No, on the contrary.
If we build with much effort an evironment, that does DNS secoure and with mi=
nimal overhead in "spying" ( see the excellent blog article by Michael ), DoH=
 would be contraproductive.

- Bernhard

> -Michael

--===============1814679011696658689==--