Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent Firefox from automatically switching over to DNS-over-HTTPS #2915

Merged
merged 1 commit into from Sep 7, 2019

Conversation

@DL6ER
Copy link
Member

commented Sep 7, 2019

By submitting this pull request, I confirm the following:
please fill any appropriate checkboxes, e.g: [X]

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

Please make sure you Sign Off all commits. Pi-hole enforces the DCO.


What does this PR aim to accomplish?:

Prevent Firefox from using DNS-over-HTTPS (DoH) as this would corrupt our efforts to block ads.

How does this PR accomplish the above?:

We follow the official Mozilla Support platform:

Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH:

DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver.

We we implement such a "special feature", we implement this.

What documentation changes (if any) are needed to support this PR?:

Probably not necessary.

Signal to Firefox that the local network is unsuitable for DNS-over-H…
…TTPS

Signed-off-by: DL6ER <dl6er@dl6er.de>

@DL6ER DL6ER added this to the v5.0 milestone Sep 7, 2019

@DL6ER DL6ER requested a review from pi-hole/core-approvers Sep 7, 2019

@DL6ER DL6ER changed the base branch from master to development Sep 7, 2019

@DL6ER DL6ER changed the title New/disable firefox doh Prevent Firefox from automatically switching over to DNS-over-HTTPS Sep 7, 2019

@pralor

This comment has been minimized.

Copy link

commented Sep 7, 2019

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/support-for-returning-nxdomain-for-use-application-dns-net-to-disable-firefox-doh/23243/7

@josteink

This comment has been minimized.

Copy link

commented Sep 7, 2019

This sounds like a no-brainer. As a pi-hole user I’d love to have this working out of the box without a need to manually configure anything.

@DL6ER

This comment has been minimized.

Copy link
Member Author

commented Sep 7, 2019

@josteink Yes, this pull requests implements it as an always-on feature. No need to flip any switch for it.

@DL6ER DL6ER merged commit b4131ae into development Sep 7, 2019

5 checks passed

CodeFactor No issues found.
Details
DCO DCO
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
stickler-ci No lint errors found
Details

@DL6ER DL6ER deleted the new/disable-firefox-doh branch Sep 7, 2019

# Signal to Firefox that the local network is unsuitable for DNS-over-HTTPS
# This follows https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
# (sourced 7th September 2019)
server=/use-application-dns.net/

This comment has been minimized.

Copy link
@Mcat12

Mcat12 Sep 7, 2019

Member

This will be deleted whenever the configuration is re-processed:

delete_dnsmasq_setting "server"

@DL6ER DL6ER referenced this pull request Sep 7, 2019
8 of 8 tasks complete
Mcat12 added a commit that referenced this pull request Sep 7, 2019
@t0m5k1

This comment has been minimized.

Copy link

commented Sep 10, 2019

How about Pi-Hole integrate stunnel to provide a way for users/admins to query pihole via DoH?
If you don't want to use stunnel you could move from lighttpd to nginx and then use the streams feature to provide DoH access to pihole.

This way users can just add an address to Firefox and have the Firefox query pihole directly rather than implementing workarounds to mitigate DoH/DoT.

@dschaper

This comment has been minimized.

Copy link
Member

commented Sep 10, 2019

If you want to set up a PR with the above changes outlined then we'll take a look and see if it's something we can work.

@t0m5k1

This comment has been minimized.

Copy link

commented Sep 10, 2019

I'm not a coder in any way, The above was just a suggestion.

@DL6ER

This comment has been minimized.

Copy link
Member Author

commented Sep 10, 2019

@t0m5k1 Thanks for your suggestion. One thing isn't clear to me, though. What is the benefit of having DoH in your local network? It is a massive overhead for a very simple protocol and protecting yourself against man-in-the-middle attacks shouldn't be a thing in your own home network, right?

Even then, DNSSEC is being deployed more and more and protects you as well.
DNSSEC coverage as of yesterday
(https://elists.isoc.org/pipermail/dnssec-maps/)

I don't think the encryption aspect should be necessary in home networks. If you are that concerned (maybe because of your hacker son/daughter), then them just pulling out and messing with the Raspberry's SD card sounds like a much more likely scenario compared to packet interceptions and live rewrites thereof.

@t0m5k1

This comment has been minimized.

Copy link

commented Sep 11, 2019

I know it is an overhead and might seem heavy but with more browsers jumping on the DoH bandwagon it would be good to embrace this rather than just force a user/browser to disable it.

Google have stated that v78 of Chrome will also have DoH add to that the amount of people choosing to run pi-hole in a cloud due to poisoning of DNS by their ISP the more features present in pihole will mean a wider use area.

Additionally with more and more people no longer trusting the LAN I think this feature would be good. I have a few friends who are now using a NAC (Network Access Controller) within their own LAN as they no longer trust it purely due friends arriving on site with phones that have wifi enabled and it connecting.

@DL6ER

This comment has been minimized.

Copy link
Member Author

commented Sep 11, 2019

You made some point but nothing convinced me/(us) yet.

run pi-hole in a cloud due to poisoning of DNS by their ISP

I see this but how would an Out-of-The-Box DoH feature change this? Even with Doh it is not safe to open your DNS resolver to the world. DNS amplification attacks might be reduced, however, this also involves some more fine tuned firewall settings to be sure to avoid UDP leaks aside your HTTPS channel.

with more browsers jumping on the DoH bandwagon it would be good to embrace this rather than just force a user/browser to disable it.

I still don't see why. It adds a lot of overhead with no real gain.

more and more people no longer trusting the LAN [...] they no longer trust it purely due friends arriving on site with phones that have wifi enabled and it connecting

I see this issue being purely on the network side. If you don't trust the devices of your friends/visitors/whomever (BTW, I can perfectly see why you wouldn't), then you should have a dedicated isolated WiFi for them. Many routers even offer "guest network"s out of the box which is exactly what you should be looking into.

Discussing this in comments on an already implemented pull request on Github seems to be the wrong place as this is not directly related to the code in this PR but rather a request for a new feature. Please open a feature request on our Discourse Forum, as mentioned in our Issue Templates. This also ensures that a much wider audience will see your request and can give their opinions. After all, my voice is only one out of many and I can surely be outvoted by others.

Thank you for your understanding.

@t0m5k1

This comment has been minimized.

Copy link

commented Sep 11, 2019

You made some point but nothing convinced me/(us) yet.

Was just a suggestion, and people are already asking on reddit how DoH is going to impact pihole. Knowing Google they will not make it easy disable DoH in Chrome unlike FireFox.

@AndreiG6

This comment has been minimized.

Copy link

commented Sep 14, 2019

@DL6ER your comments are close-
minded and unrealistic to say the least. There's no point in opposing what's to come. Aside from the slight overhead, local DNS poisoning attacks have been "a thing" for decades. You should embrace new security protocols versus stand against them. Period.

@AndreiG6

This comment has been minimized.

Copy link

commented Sep 14, 2019

I long replaced lighttpd/cgi with nginx/fpm (way faster and less resources) and added DoT + DoH support directly in nginx. This helps me secure my kids mobile browsing while they're outside out of my local network. There are also more and more routers which support DNS filtering through these services.

@DL6ER

This comment has been minimized.

Copy link
Member Author

commented Sep 14, 2019

@AndreiG6 please continue the discussion on Discourse as I mentioned above. If you insist on using GitHub, we would be happy discussing this further based on your PR for this feature.

@pi-hole pi-hole locked as spam and limited conversation to collaborators Sep 14, 2019

@pralor

This comment has been minimized.

Copy link

commented Sep 19, 2019

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/was-bedeutet-dns-over-https-fur-pi-hole/23762/2

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
7 participants
You can’t perform that action at this time.