How to Disable DNS over HTTPS using BIND
Although DNS over HTTPS might offer some advantages, there are cases where it's not desired. This article identifies a use case and explains how to disable DoH for a network using BIND version 9.10+
TL;DR
Create a zone file /etc/namedb/master/rpz.local.db with the canary domain use-application-dns.net.
; Empty domain to return NXDOMAIN
$TTL 1h
@ SOA localhost. admin.localhost. (
1 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
2419200 ; expire (4 weeks)
3600 ; minimum (1 hour)
)
IN NS localhost.
use-application-dns.net IN CNAME .
Add a response policy and the rpz zone to your view in /etc/namedb/named.conf
view "myview" {
...
response-policy {
zone "rpz.local";
};
zone "rpz.local" {
type master;
file "/etc/namedb/master/rpz.local.db";
};
};
Add new domains you would like to return NXDOMAIN to your rpz.local.db and reload your configuration with rndc reload.
When do you need to avoid DoH?
The main use case is when a local campus has private servers only visible to internal networks. It is necessary to ensure local DNS servers deliver the required response. DNS has been around for a long while and has many other uses. For these and other use cases it may be desirable to disable DoH at a network level.
In rfc6950 Private DNS on internal networks call this Split Horizon, in ISC Bind per network responses are called "views".
Although it is possible to configure a browser to use or not use DoH, it's essential that clients, customers and staff have zero configuration when entering and leaving a campus to both ensure visitors receive the correct DNS responses and also that there are no additional support issues relating to altering a client device.
Client preferences
Clients who choose "DoH always" may need to be advised that they may not get all available services. Those who choose to disable DoH or leave the default settings should be unaffected.
How to disable DoH
Although DoH is defined in rfc8484, it is only a proposed standard and thus subject to change. Each implementation of DoH is specific to an application and only Firefox appear to have identified the need for zero configuration disabling DoH by querying the local dns for use-application-dns.net, if the query returns NXDOMAIN then DoH is disabled for that session. No doubt as implementations proceed these may change or be confirmed.
By configuring the local DNS to return NXDOMAIN for a canary domain, in the case of Firefox this is use-application-dns.net, DoH will be disabled.
A number of heuristics are used to identify if DoH should be enabled and it is currently only a proposed standard so expect change.
Logging
You may wish to log Response Policy Zone activity
logging {
channel my_log {
channel my_log {
file "/var/log/named.log";
severity warning;
print-category yes;
print-time yes;
print-severity yes;
};
};
category rpz {my_log; };
};
Finally
As this is an early implementation phase, I intend to update this page as and when necessary.
Resources
Proposed standard DNS Queries over HTTPS (DoH) - rfc8484
Internet Systems Consortium (BIND)
Tutorial on Configuring BIND to use Response Policy Zones (RPZ) by Andrew Fried of Deteque
Building DNS Firewalls with Response Policy Zones (RPZ)
Mozilla: Configuring Networks to Disable DNS over HTTPS
Mozilla: DNS-over-HTTPS (DoH) Update – Detecting Managed Networks and User Choice
Mozilla: What’s next in making Encrypted DNS-over-HTTPS the Default
Architectural Considerations on Application Features in the DNS - rfc6950
Mozilla: Configuring Networks to Disable DNS over HTTPS