Hosts: Firefox DNS over HTTPS bypasses the local hosts file
Just leaving this here. Heads up!
Firefox' DNS over HTTPS feature is potentially really great.
One problem: this evidently bypasses the local hosts file. So if this is enabled, you get the full advertising/tracking browsing experience.
Anybody have any ideas?
StevenBlack
All 13 comments
@StevenBlack Add the following into your network configuration ? https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
funilrys
on 5 Mar 2020
Thanks Nissar @funilrys. I'd like to nominate this mozilla support page for a prize, as the worst. Just awful.
StevenBlack
on 6 Mar 2020
llacb47
on 6 Mar 2020
Just putting this as a concern that needs to be still looked at, if the user manually enables DOH in Firefox, it bypasses everything (hosts file, recursive resolver configured in the OS) i.e the canary domain workaround doesn't work.
swapneelp
on 15 Mar 2020
Yes Swapneel @swapneelp I agree. I don't understand why this feature works this way.
I understand the browser encrypts the DNS request. That has to happen somewhere, in a way that doesn't "leak" anything about the request.
Maybe this is the only way this could work. It just seems like, there must be a better way.
StevenBlack
on 15 Mar 2020
@StevenBlack DoH hijacks control of DNS away from network operators (like me) who use the DNS to block malicious content and protect small networks. A much saner option was DoT(rfc7858). DoH now raises the costs for everyone using DNS as a layer of defense. To summarise, the fantastic blocking lists that you folks curate and maintain will now need a solution at the OS packet layer to glue and make blocking work.
swapneelp
on 15 Mar 2020
The best way to prevent users from enabling this option is described here: https://github.com/mozilla/policy-templates#dnsoverhttps
trsantos
on 24 Apr 2020
The best way to prevent users from enabling this option is described here: https://github.com/mozilla/policy-templates#dnsoverhttps
Agree.
Also except locking, disabling and ... they added ability to exclude domains from being resolved using DoH in FF75.
3j9fkyahunqoxwqu
on 27 Apr 2020
@StevenBlack isn't this the same as #968 which has more info and is older? 🙂
XhmikosR
on 3 May 2020
@XhmikosR same basic issue, yes. Chrome (#968) and Firefox here.
StevenBlack
on 3 May 2020
Why not just use uMatrix or uBlock origin? You can even host local files if you have something like xampp. Or for system wide use best is Acrylic DNS. Maybe YogaDNS too. I use uMatrix as hosts blocker and media type (scripts, images, videos, css) blocker in Chrome and Firefox. You can quickly include or exclude any blocked host or media type, without restarting anything.
ghost
on 8 Jun 2020
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 7 Oct 2020
Closing.
stale[bot]
on 21 Oct 2020
Related issues
mitchellkrogza
·
55Comments
mrjackyliang
·
26Comments
ScriptTiger
·
20Comments
ghost
·
23Comments
dcramer
·
26Comments
Most helpful comment
@StevenBlack DoH hijacks control of DNS away from network operators (like me) who use the DNS to block malicious content and protect small networks. A much saner option was DoT(rfc7858). DoH now raises the costs for everyone using DNS as a layer of defense. To summarise, the fantastic blocking lists that you folks curate and maintain will now need a solution at the OS packet layer to glue and make blocking work.