[Kadin]

In that case you are better off running local DNS and using a different subdomain (internal.companyname.com or whatever) for internal DNS entries; the DNS-over-HTTPS query will go out, fail, and then Firefox will fallback to traditional UDP DNS on port 53, hit the local resolver on the LAN, and away you go. It will presumably cause a short delay the first time a host is queried, but after that I assume Firefox is smart enough to cache the result, so unless you have absurdly short TTLs the performance impact should be pretty low.

The positives certainly outweigh the negatives of inconveniencing some IT admins who, as you correctly point out, are implementing a dirty hack anyway.

[userbinator]

the DNS-over-HTTPS query will go out, fail

You completely missed the point of the parent, which is to NOT let internal hostnames out of the network.

The positives certainly outweigh the negatives of inconveniencing some IT admins who, as you correctly point out, are implementing a dirty hack anyway.

This is a perfect example of the irritating attitude I see from people pushing hostile features like this. Everyone wants their network to operate the way they want, and yet you think you know better than the actual owners of those networks.

[Jonnax]

The owners of the networks have time and time again done user hostile things that have compromised their security and privacy.

Corporate networks are a small percentage of network traffic and their use cases are less important in the grand scheme of the internet.

DNS over HTTPS is a solution because network owners can't be trusted. Either by blocking or by taking their DNS logs and selling it to advertiser's.

[userbinator]

I am the owner of my network, as is everyone who has one at home, and you are saying that I can't be trusted. WTF!?

[isomorphic]

I think Jonnax meant ISPs, not you.

[josteink]

In which case he is wrong. You are the operator of your own network.

If applications decide to bypass you, they are hostile and cannot be trusted.

[Jonnax]

Then DNS protocol is old and needs to be updated. Security considerations need to be forward looking rather than clinging to the past.

DNS is unencrypted and a security risk. For the user. It's an old technology that needs to be updated.

DNS over TLS/HTTPS allows the browser to get a trusted record of IP which is a public register.

The bypass here is looking up what the corresponding IP address for a hostname is.

DNS based blocking isn't as effective as IP blocking.

You can feed a DNS based list of IPs you want to block into a firewall and have the exact same behaviour.

Both Firefox and Chrome have the ability to set enterprise user settings that can force certain configurations.

So you should have the ability to disable it if you want in your network.

If you're worried about the security of your network don't allow devices that you don't trust into it and restrict internet access properly.

What's more anyone can configure a custom DNS resolver on their device when connecting to a network.

[Jonnax]

The lack of trust I mentioned was about ISP provided DNS servers. You don't own your WAN network and the majority of people use the DNS provided by their ISP.

On your own network, if you feel like doing a DNS lookup to what amounts to a public address book is unethical then don't allow arbitrary clients on the network.

If you want to do blocking based on a DNS list, configure your firewall to do that.

[CJefferson]

Knowing better than the owners is a matter of tradeoff.

There are whole isps and even countries (including the UK shortly) which mess with DNS requests. Helping the millions of users who are in that situation, and don't even know what D Sits, seems like a net good. As you say, experts can choose to disable it.

[TeMPOraL]

> As you say, experts can choose to disable it.

As long as they can. The problem with these ideas is that it can get increasingly difficult to work around them. How many hoops you have to jump through to pcap your own software on your own machines now that certificate pinning is becoming popular? What when someone will have the bright idea of implementing certificate pinning for DoH inside browsers, "because security"?

(I could live with the choice between having to somehow acquire Chrome Enterprise Edition vs. switching to Firefox, to have a browser I can control. I'm worried now that Firefox might be turning into Chrome, though.)

[NikkiA]

> including the UK shortly

If you're implying the porn filter, no, the porn filter has been shelved 'indefinitely' because a) it's against EU law, b) it was May's personal project (she pushed heavily for it when she was Home Secretary, and it became a thing under her PM-ship).