Re: [SOLVED] Re: Firefox: Warning: Potential Security Risk Ahead for the USPS.com
tomas@tuxteam.de wrote:
> On Tue, Jan 04, 2022 at 04:09:42PM -0500, Dan Ritter wrote:
>
> [...]
>
> > Here's what I do:
> >
> > My local DNS resolver offers DNS, DNS over TLS, and DNS over
> > HTTPS.
> >
> > I supply a use-application-dns.net zone that returns NXDOMAIN.
> > That tells browsers to not use DoH.
>
> Oh, is it possible to tell the browsers which host to ask to resolve DoH
> requests? That would be... nice :)
Not precisely which host. A compliant DoH client (FF, Chrome) is supposed to
start by asking local DNS for a record from
use-application-dns.net, which Mozilla runs. If your DNS server has
use-application-dns.net and insists on returning NXDOMAIN, then
the client should fall back to using whatever DNS the operating
system supplies.
In Bullseye, unbound has support for both DNS-over-TLS and
DNS-over-HTTPS -- the latter is new.
> > I build an adblocker zone [...] that always answers with a 204 [...]
>
> nice
Pick an IP in your local net - let's say, 10.0.0.254. Use that
as your DNS response instead of 127.0.0.1. This will work just
fine in /etc/hosts.
Make sure you have a machine listening to 10.0.0.254, and set up
a web server to answer regardless of name.
For nginx:
server {
listen 10.0.0.254:80;
server_name _;
root /var/www/blank;
index blank.png;
rewrite .+?(png|gif|jpe?g)$ /blankimg last;
rewrite ^(.*)$ / last;
location / {
return 204;
}
location /blankimg {
empty_gif; # See http://nginx.org/en/docs/http/ngx_http_empty_gif_module.html
}
}
So if the page asks for an image, I supply a 1x1 transparent dot.
If it asks for anything else, 204, which is not an error.
-dsr-
Reply to: