From ebe2eac3a7c221a1f8d4033e8f78563757675e04 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Sat, 28 Nov 2020 23:39:47 +0100 Subject: [PATCH] dns_*: prevent DoH by returning NXDOMAIN for use-application-dns.net --- roles/dns_resolver/templates/dnsdist.conf.j2 | 4 ++++ roles/dns_split/templates/dnsdist.conf.j2 | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/roles/dns_resolver/templates/dnsdist.conf.j2 b/roles/dns_resolver/templates/dnsdist.conf.j2 index f56da34..d973e67 100644 --- a/roles/dns_resolver/templates/dnsdist.conf.j2 +++ b/roles/dns_resolver/templates/dnsdist.conf.j2 @@ -13,6 +13,10 @@ newServer({address='127.0.0.1:5353', qps=1, name='localhost'}) addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet +addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN)) + +-- HTTP Endpoint for Prometheus webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3') -- disable security status polling via DNS diff --git a/roles/dns_split/templates/dnsdist.conf.j2 b/roles/dns_split/templates/dnsdist.conf.j2 index 2226580..65cb354 100644 --- a/roles/dns_split/templates/dnsdist.conf.j2 +++ b/roles/dns_split/templates/dnsdist.conf.j2 @@ -10,6 +10,10 @@ newServer({address='127.0.0.1:5353', qps=1, name='localhost'}) addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet +addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN)) + +-- HTTP Endpoint for Prometheus webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3') -- disable security status polling via DNS