This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Howto let Sophos UTM return NXDOMAIN for use-application-dns.net

I don't know if everyone is aware but Firefox is enabling DNS-Over-HTTPS starting late September:

https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

I'd like to block this behavior and one of the options to stop this is by letting DNS returning NXDOMAIN for the Canary domain use-application-dns.net .

Does anyone know how to actually implement this on Sophos UTM 9.6?



This thread was automatically locked due to age.
  • Hi  

    We can not return NXDOMAIN exactly. However, you may create a DNS request route for this domain to a non-existing host and thus the user will not be able to do DNS lookup for this host. Or you may redirect the request to your Internal DNS server and maybe you can configure it over there.

    Regards

    Jaydeep

  • Hi Jaydeep,

    Jaydeep said:

    Hi  

    We can not return NXDOMAIN exactly.

    I was afraid of that.

    Jaydeep said:

    However, you may create a DNS request route for this domain to a non-existing host and thus the user will not be able to do DNS lookup for this host. Or you may redirect the request to your Internal DNS server and maybe you can configure it over there.

     

    I tried adding a DNS host which points to a non-existant domain; this does not work (UTM just returns the correct IP addresses) Your suggesting of using a dummy DNS forwarder (at least I think that is what you are suggesting) appears to work though:

    C:\Users\tomda>ping use-application-dns.net
    Ping request could not find host use-application-dns.net. Please check the name and try again.

    The Time-out does take a pretty long time (because I pointed it to an internal IP address that is not in use)

  • Yes, I meant to suggest using a DNS Request Redirect option under Network Services > DNS > Request Routing Something like this:



    And I'm not sure if we can do anything about the timeout.

    Regards

    Jaydeep