Skip to content
Permalink
Browse files

[debops.dnsmasq] Disable DNS-over-HTTPS support

  • Loading branch information...
drybjed committed Sep 28, 2019
1 parent 92929d4 commit d8b16ced054b30ced283947370ba3c83558fd3cf
Showing with 20 additions and 0 deletions.
  1. +9 −0 CHANGELOG.rst
  2. +11 −0 ansible/roles/debops.dnsmasq/defaults/main.yml
@@ -57,6 +57,15 @@ LDAP

.. __: https://github.com/vmware/open-vm-tools
:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''

- The role will tell the client applications to `disable DNS-over-HTTPS
support`__ using the ``use-application-dns.net`` DNS record. This should
allow connections to internal sites and preserve the split-DNS functionality.

.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

@@ -312,6 +312,17 @@ dnsmasq__default_configuration:
local = /intranet/internal/private/corp/home/lan/
state: 'present'

- name: 'block-dns-over-https'
comment: |
Blocking the 'use-application-dns.net' domain instructs the applications
that support DNS over HTTPS to not use it and rely on the system resolver
instead. This might be required for certain applications to support
access to internal services, resolve split-DNS correctly, etc.
Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
raw: |
server = /use-application-dns.net/
state: 'present'

- name: 'dns-global.conf'
options:

0 comments on commit d8b16ce

Please sign in to comment.
You can’t perform that action at this time.