Merge pull request #870 from majestrate/disable-doh-using-isp-backdoo…

…r-provided-by-mozilla-thanks-from-nsa disable DoH
oxen-io · Nov 1, 2019 · 9ace1b2 · 9ace1b2
2 parents 30fa45f + bd07845
commit 9ace1b2
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/llarp/dns/server.cpp b/llarp/dns/server.cpp
@@ -179,6 +179,25 @@ namespace llarp
         llarp::LogWarn("failed to parse dns message from ", from);
         return;
       }
+
+      // we don't provide a DoH resolver because it requires verified TLS
+      // TLS needs X509/ASN.1-DER and opting into the Root CA Cabal
+      // thankfully mozilla added a backdoor that allows ISPs to turn it off
+      // so we disable DoH for firefox using mozilla's ISP backdoor
+      // see: https://github.com/loki-project/loki-network/issues/832
+      for(const auto& q : msg.questions)
+      {
+        // is this firefox looking for their backdoor record?
+        if(q.IsName("use-application-dns.net"))
+        {
+          // yea it is, let's turn off DoH because god is dead.
+          msg.AddNXReply();
+          // press F to pay respects
+          SendServerMessageTo(from, std::move(msg));
+          return;
+        }
+      }
+
       auto self = shared_from_this();
       if(m_QueryHandler && m_QueryHandler->ShouldHookDNSMessage(msg))
       {