How to Disable DNS over HTTPS using BIND

Although DNS over HTTPS might offer some advantages, there are cases where it's not desired. This article identifies a use case and explains how to disable DoH for a network using BIND version 9.10+


Create a zone file /etc/namedb/master/rpz.local.db with the canary domain

; Empty domain to return NXDOMAIN
$TTL 1h
@ SOA   localhost. admin.localhost. (
        1  ; serial
    86400  ; refresh (1 day)
     3600  ; retry (1 hour)
  2419200  ; expire (4 weeks)
     3600  ; minimum (1 hour)
         IN NS   localhost. IN CNAME .

Add a response policy and the rpz zone to your view in /etc/namedb/named.conf

view "myview" {
    response-policy {
        zone "rpz.local";
zone "rpz.local" {
        type master;
        file "/etc/namedb/master/rpz.local.db";
}; };

Add new domains you would like to return NXDOMAIN to your rpz.local.db and reload your configuration with rndc reload.

When do you need to avoid DoH?

The main use case is when a local campus has private servers only visible to internal networks. It is necessary to ensure local DNS servers deliver the required response. DNS has been around for a long while and has many other uses. For these and other use cases it may be desirable to disable DoH at a network level.

In rfc6950 Private DNS on internal networks call this Split Horizon, in ISC Bind per network responses are called "views".

Although it is possible to configure a browser to use or not use DoH, it's essential that clients, customers and staff have zero configuration when entering and leaving a campus to both ensure visitors receive the correct DNS responses and also that there are no additional support issues relating to altering a client device.

Client preferences

Clients who choose "DoH always" may need to be advised that they may not get all available services. Those who choose to disable DoH or leave the default settings should be unaffected.

How to disable DoH

Although DoH is defined in rfc8484, it is only a proposed standard and thus subject to change. Each implementation of DoH is specific to an application and only Firefox appear to have identified the need for zero configuration disabling DoH by querying the local dns for, if the query returns NXDOMAIN then DoH is disabled for that session. No doubt as implementations proceed these may change or be confirmed.

By configuring the local DNS to return NXDOMAIN for a canary domain, in the case of Firefox this is, DoH will be disabled.

A number of heuristics are used to identify if DoH should be enabled and it is currently only a proposed standard so expect change.


You may wish to log Response Policy Zone activity

logging {
    channel my_log {
        channel my_log {
            file "/var/log/named.log";
            severity warning;
            print-category yes;
print-time yes;
print-severity yes; };
category rpz {my_log; };


As this is an early implementation phase, I intend to update this page as and when necessary.


Proposed standard DNS Queries over HTTPS (DoH) - rfc8484

Internet Systems Consortium (BIND)

Tutorial on Configuring BIND to use Response Policy Zones (RPZ) by Andrew Fried of Deteque

Building DNS Firewalls with Response Policy Zones (RPZ)

Mozilla: Configuring Networks to Disable DNS over HTTPS

Mozilla: DNS-over-HTTPS (DoH) Update – Detecting Managed Networks and User Choice

Mozilla: What’s next in making Encrypted DNS-over-HTTPS the Default

Architectural Considerations on Application Features in the DNS - rfc6950

Mozilla: Configuring Networks to Disable DNS over HTTPS

Circle ID: DNS-over-HTTPS: Privacy and Security Concerns