Thank you everyone for this lively discussion.
So I guess just blocking isn’t acceptable for everyone.
What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
That could then activate the following:
* Filter the domain name that Firefox uses to auto-enable DoH (*)
* Reject any client connecting to any other DNS server on the internet
Then, the only way to get DNS is to use the IPFire resolver. How is that?
-Michael
(*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.
On 3 Mar 2020, at 16:06, Bernhard Bitsch Bernhard.Bitsch@gmx.de wrote:
Gesendet: Dienstag, 03. März 2020 um 16:55 Uhr Von: "Tapani Tarvainen" ipfire@tapanitarvainen.fi An: development@lists.ipfire.org Betreff: Re: Re: Should we block DoH by default?
That is different: again, as sysadmin I may want to enforce such rules inside my net, one way or the other.
Perhaps I should also note that Firefox allows you to choose your own DoH server, you don't have to use Mozilla or Cloudflare or whatever, and at some point it might be good to have DoH server built into IPFire.
To clarify from my side. It's not DoH that brought up the discussion, but the decision of Mozilla to enable it by default "silently".
- Bernhard