Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox

    Scheduled Pinned Locked Moved DHCP and DNS
    85 Posts 19 Posters 41.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222 @johnpoz
      last edited by

      @johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

      local-zone: "use-application-dns.net" static

      Thanks @johnpoz - I appreciate the follow up an explanation. I was actually more curious what that configuration line did exactly and why you chose it specifically to solve this issue?

      Is the idea just to create a local DNS Zone with this domain, but since no actual (local) records exist for it, it will simple return NXDOMAIN?

      Thanks again!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Exactly, when you set the local zone as static, and no local entries - NX gets returned. So when NX gets returned when the browser looks for that, it is suppose to not enable DOH because local filtering is in place and the user has opted to use that vs doh.

        edit: I can foresee future posts about why pfblocker is not working because browser is using doh vs asking the local dns which is using pfblocker.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tman222
          last edited by

          Thanks @johnpoz - when entering into Unbound's option box, for multiple configuration options, is the correct syntax:

          server:
          config line 1
          config line 2

          OR

          server:
          config line 1

          server:
          config line 2

          Apologies, I can never quite remember. Thanks again for your help.

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            bind9 + rpz
            cloudflare-dns.com IN CNAME .

            😤

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              You only need 1 server: at the top

              For example here are all my entries.
              server:
              private-domain: "plex.direct"
              local-zone: "use-application-dns.net" static
              so-reuseport: no
              #log-queries: yes
              #log-replies: yes
              #private-address: ::/0 # filters out all AAAA !

              I leave the log entries in there and the private address thing to stop AAAA because I enable them on the fly sometimes for testing.. I just leave them # out normally when I don't need them. I think I can remove that so-reuseport: no since I think that was changed in an update a while back.. Not sure on that one. But yeah you only need the one server: entry.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              pfSenseTestP 1 Reply Last reply Reply Quote 0
              • pfSenseTestP
                pfSenseTest @johnpoz
                last edited by

                @johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

                I think I can remove that so-reuseport: no since I think that was changed in an update a while back.. Not sure on that one.

                I was wondering about this myself and haven't been able to confirm if it is still needed or not.

                2x SG-5100 | MBT-4220 (retired) | SG-1000 (retired)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  @johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

                  so-reuseport: no

                  I just commented it out and restarted unbound, and there are still multiple threads.. So its no longer needed..
                  https://forum.netgate.com/post/809158

                  JimP goes over in that post

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator
                    last edited by

                    The whole use case Mozilla and the DoH folks that promote it that much are telling is falling apart IMHO. If a simple NXDOMAIN for the use-application-dns.net Zone is "blocking" the use of DoH in Firefox alltogether, how in the hell is the DoH implementation in Firefox well-thought in the first place? They are pointing fingers at MITM or Rogue ISPs etc. to protect your data and privacy against. OK, fair point, but how in the hell is that protecting if you

                    1. completely screw up a fine configured local DNS resolver setup with internal domains by using a DoH server from an external source (and handing your DNS data to them!?)
                    2. can override your privacy-DoH-firefox-thingy by said rogue ISP to simply hand out a nxdomain for the use-application-dns.net zone?
                    3. begin to segregate DNS into "per application use"? Firefox using DoH with Cloudflare, System using local resolver with internal domains, next Browser/Application uses whatever the f*** they want? How is that transparent and protecting anything about your privacy if you don't have a clue anymore what your system does? It's something like the whole Linux-systemd-everything. NTP? DNS resolving? Yay let's put it into systemd, too! What!?

                    Narf 👿

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 2
                    • kiokomanK
                      kiokoman LAYER 8
                      last edited by

                      simple. privacy is a businness after all. it will not be strange if that work was sponsorized by cloudflare and the like. they are only selling all your data to them and telling you that this way you are more protected ☺
                      i hate when company make fun of customers. if they left it as an option instead of imposing it as a default it would have been something else

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Now it seems google/chrome wants to join in on the data mining fun.. WTF!!!
                        https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/

                        dot is easy to block since uses its own port... But guess its time to start compiling list of all known doh servers and blocking them.. Gawd Damn it!!!

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • JeGrJ
                          JeGr LAYER 8 Moderator
                          last edited by

                          @johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

                          But guess its time to start compiling list of all known doh servers and blocking them.. Gawd Damn it!!!

                          They are also contradicting their own argumentation. Mozilla for example arguments over governmental or rogue ISPs grabbing your data. At the same time they 1) send all your data to a single provider instead of using resolvers to dsitribute the DNS calls to a wide range of servers and 2) use use-application-dns.net as their canary to determine wether or not to disable automagic DoH. So we roll out some application specific black magic BS that breaks your local setup but hand out the free pass for their own attackers to disable it. WTF? How is that thought-out? 🤦 First thing a rogue ISP or anyone else would be to hand out NXDOMAIN to use-application-dns.net calls to disable that. And if anyone does that... yeah.

                          Pushing OS developers to include DoT and DoH in their base OS and as next step push all DNS servers to wide-range adaption of both protocols would be the right way. Then you could just tell your local resolver to use either DoH/DoT for resolving (and do or don't fallback to normal udp/53 DNS). Their tactic? No just send it all to Google/Cloudflare etc. Right...

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK
                            kiokoman LAYER 8
                            last edited by kiokoman

                            the Internet Services Providers Association (ISPAUK), a trade association for internet service providers in the UK, decided to nominate Mozilla for its award of 2019 Internet Villain, next to Donald Trump and the EU's Article 13 Copyright Directive.

                            😂

                            https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/

                            https://www.ispreview.co.uk/index.php/2019/07/ispa-pulls-uk-internet-villain-category-over-mozilla-doh-fallout.html

                            ISPAUK have a point here

                            An application switching to DoH should ensure that this switch does not undermine choices that have been previously made by the user. For example, if parents have decided to filter an internet connection in their home via network or local level DNS controls, these choices should not simply be ignored by the application.

                            If DoH doesn’t work or is slow, a customer’s internet access will be affected. The customer will contact their ISP, not the DoH provider, but the ISP won’t be able to fix things for them. As a minimum, any application switching to DoH should ensure that the selected resolver should provide a 24/7 user call centre reachable via low-cost/local rate telephony and an online support capability. Support for fault-diagnosis and resolution between ISP, resolver and users should also be provided.

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              @kiokoman said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

                              An application switching to DoH should ensure that this switch does not undermine choices that have been previously made by the user

                              All of which just SCREAMS this can not be opt-out, but MUST be OPT-IN to switch...Where the users has to specifically do something to actually use it, vs just using the OS already set dns..

                              edit:
                              I think the thought process has gone something like this.
                              Q: How can we mine more data from our users without logging and sending the info where they go.. "telemetry" they don't seem to like that.

                              A: Lets have them use us for dns, so that we know everywhere they they go.

                              Q: How can we get them to do that?
                              A: We will tell them its for their own security, from the bad isp they are paying every month for internet.

                              Q: Well they are not switching over fast enough, and we don't want to actually spend any money on PR to have them think this is best option for their "security/privacy"

                              A: Lets just switch them over, and state that is for their own good if they complain, because they are just too stupid anyway.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • B
                                bcruze
                                last edited by

                                https://apple.news/AREysIdXnROWCIANTguz06A

                                Not sure if the link will work, they are trying a personal vpn now..

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  They can offer whatever they want - just don't freaking make something like that default... If the user has to turn it on, and make an effort to use it..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 2
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    So I found this listing of known doh servers
                                    https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

                                    I have a pm out of @BBcan177 asking if he plans on easy way of blocking these in pfblocker, if not will be working my own listing of them to use in firewall rules and host overrides to block queries for them.

                                    Will prob have dns queries for their fqdn point to a specific IP that I block and log, and any hits to that rule get attention and any devices doing it will if not easy to disable be off the network..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    BBcan177B 1 Reply Last reply Reply Quote 0
                                    • JeGrJ
                                      JeGr LAYER 8 Moderator
                                      last edited by JeGr

                                      I'd also use

                                      local-zone: "use-application-dns.net" static
                                      

                                      in the DNS Resolver "custom options" box so to answer with an NXDOMAIN to the canary domain Mozilla uses. Won't help if they switch their approach or simply use a service manually entered but at least the "automagic switch" should be off then.

                                      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        Yeah been in place for some time already ;)

                                        Notice I posted how to do it like 8 days ago ;) Look back over the thread..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • BBcan177B
                                          BBcan177 Moderator @johnpoz
                                          last edited by

                                          @johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

                                          I have a pm out of @BBcan177 asking if he plans on easy way of blocking these in pfblocker, if not will be working my own listing of them to use in firewall rules and host overrides to block queries for them.

                                          Some more details here for now until I add this officially to pfBlockerNG:

                                          https://www.reddit.com/r/pfBlockerNG/comments/d3p1gf/doh_server_blocklist/

                                          "Experience is something you don't get until just after you need it."

                                          Website: http://pfBlockerNG.com
                                          Twitter: @BBcan177  #pfBlockerNG
                                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by johnpoz

                                            Thanks - but you the have the
                                            use-application-dns.net

                                            In there - that would not return an NX, so it wouldn't work per my understanding of how the firefox canary is suppose to work.. It has to get back a NX to not enable it from my understanding.

                                            I threw this together real quick this morning from list linked to earlier.

                                            local-data: "dns.adguard.com. 120 IN A 172.19.19.19"
                                            local-data: "dns-family.adguard.com. 120 IN A 172.19.19.19"
                                            local-data: "dns.google. 120 IN A 172.19.19.19"
                                            local-data: "cloudflare-dns.com. 120 IN A 172.19.19.19"
                                            local-data: "dns.quad9.net. 120 IN A 172.19.19.19"
                                            local-data: "dns9.quad9.net. 120 IN A 172.19.19.19"
                                            local-data: "dns10.quad9.net. 120 IN A 172.19.19.19"
                                            local-data: "doh.opendns.com. 120 IN A 172.19.19.19"
                                            local-data: "doh.cleanbrowsing.org. 120 IN A 172.19.19.19"
                                            local-data: "dns.nextdns.io. 120 IN A 172.19.19.19"
                                            local-data: "dns.dnsoverhttps.net. 120 IN A 172.19.19.19"
                                            local-data: "doh.crypto.sx. 120 IN A 172.19.19.19"
                                            local-data: "doh.powerdns.org. 120 IN A 172.19.19.19"
                                            local-data: "doh-ch.blahdns.com. 120 IN A 172.19.19.19"
                                            local-data: "doh-jp.blahdns.com. 120 IN A 172.19.19.19"
                                            local-data: "doh-de.blahdns.com. 120 IN A 172.19.19.19"
                                            local-data: "dns.dns-over-https.com. 120 IN A 172.19.19.19"
                                            local-data: "doh.securedns.eu. 120 IN A 172.19.19.19"
                                            local-data: "dns.rubyfish.cn. 120 IN A 172.19.19.19"
                                            local-data: "doh-2.seby.io. 120 IN A 172.19.19.19"
                                            local-data: "doh.seby.ie. 120 IN A 172.19.19.19"
                                            local-data: "commons.host. 120 IN A 172.19.19.19"
                                            local-data: "doh.dnswarden.com. 120 IN A 172.19.19.19"
                                            local-data: "dns-nyc.aaflalo.me. 120 IN A 172.19.19.19"
                                            local-data: "dns.aaflalo.me. 120 IN A 172.19.19.19"
                                            local-data: "doh.appliedprivary.net. 120 IN A 172.19.19.19"
                                            local-data: "doh.captnemo.in. 120 IN A 172.19.19.19"
                                            local-data: "doh.tiar.app. 120 IN A 172.19.19.19"
                                            local-data: "doh.dns.sb. 120 IN A 172.19.19.19"
                                            local-data: "rdns.faelix.net. 120 IN A 172.19.19.19"
                                            local-data: "doh.li. 120 IN A 172.19.19.19"
                                            local-data: "doh.armadillodns.net. 120 IN A 172.19.19.19"
                                            local-data: "doh.netweaver.uk. 120 IN A 172.19.19.19"
                                            local-data: "jp.tiar.app. 120 IN A 172.19.19.19"
                                            local-data: "doh.42l.fr. 120 IN A 172.19.19.19"
                                            

                                            Here is sample query for one of those.

                                            ;; QUESTION SECTION:
                                            ;doh.dns.sb.                    IN      A
                                            
                                            ;; ANSWER SECTION:
                                            doh.dns.sb.             120     IN      A       172.19.19.19
                                            

                                            Simple add that to your custom box in unbound, then put a block log rule in place that logs anything that tries to go to my out of thin air IP that I do not use locally 172.19.19.19

                                            This way I can see if anything is trying to resolve this by just looking if any hits in the firewall rules, and then look into the logs to which IP tried and investigate what its trying to do exactly.

                                            Keep in mind, this could cause you some grief if any of those fqdn are serving up stuff other than doh that you might want to get to.. Some are on other ports other then 443, so I just made the block rule any..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.