Firefox and DNS over HTTPS = No Content Filter

itxnc
itxnc Posts: 98  Ally Member
First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security

With Firefox rolling out DNS over HTTPS (DoH) for all US users, your USG content filter is about to become useless for Firefox users.

Hopefully, Zyxel will add some functionality to allow the USG/ATP boxes to respond to various 'pings' the browsers do to see if DNS filtering is being used. But until then, for Firefox anyway, they have a setup called a canary domain that Firefox queries and if it returns an error, they will NOT turn DoH on.

Basically you need a CNAME for use-application-dns.net that goes to ... nothing (basically a target of . )

But in the USG DNS settings where you can specify CNAMEs, the field checks make this a little tricky. So what I did was use *.use-application-dns.net as the CNAME alias and localhost as the target. When I did a DNS query, I got an empty NOERROR reply (ie no A or AAAA record), which according to Firefox is one of the tests (see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet). SO basically if you query use-application-dns.net and no IP (v4 or v6) is returned, it'll keep DoH off (unless the user manually turns it on).

I did a 'refresh' on Firefox and DoH didn't trigger but not sure how quickly Firefox is rolling this out. I'm going to test more, but can't hurt to add this to your USGs and ATPs now to be safe.

Obviously, if you have a domain, the best way to keep DoH disabled is to use group policies.

Good discussion here: https://www.reddit.com/r/sysadmin/comments/dbs1ew/canary_domain_to_disable_firefoxchrome_doh/

Comments

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    I don't think DoH will bypass the content filter.

    As I know, Zyxel USG content filter is inspect the HTTP request and SNI in HTTPs TLS client hello message. Not using DNS filter technology like Cisco OpenDNS.

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    edited February 2020

    Good to know. Did not realize that. But I wonder how that's fairing with ESNI and services like CloudFlare. Do they use DNS as a fallback?

    Is there a whitepaper on how CF v2.0 works on the USGs in terms of what methods they are using and which may be prone to bypass as things like ESNI and DoH deploy?

    Definitely time to ramp up some testing...

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Yes. The new TLS1.3 and HTTP/3 will be a challenge for firewall vendors.

    It's a double-edged sword. Protects the Internet privacy but lose the security control.

    Look like install security control software on endpoint is the easy way to block, compares to inspect on network traffics.

Security Highlight