Howto let Sophos UTM return NXDOMAIN for use-application-dns.net

I don't know if everyone is aware but Firefox is enabling DNS-Over-HTTPS starting late September:

https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

I'd like to block this behavior and one of the options to stop this is by letting DNS returning NXDOMAIN for the Canary domain use-application-dns.net .

Does anyone know how to actually implement this on Sophos UTM 9.6?

  • Hi  

    We can not return NXDOMAIN exactly. However, you may create a DNS request route for this domain to a non-existing host and thus the user will not be able to do DNS lookup for this host. Or you may redirect the request to your Internal DNS server and maybe you can configure it over there.

  • In reply to Jaydeep:

    Hi Jaydeep,

    Jaydeep

    Hi  

    We can not return NXDOMAIN exactly.

    I was afraid of that.

    Jaydeep

    However, you may create a DNS request route for this domain to a non-existing host and thus the user will not be able to do DNS lookup for this host. Or you may redirect the request to your Internal DNS server and maybe you can configure it over there.

     

    I tried adding a DNS host which points to a non-existant domain; this does not work (UTM just returns the correct IP addresses) Your suggesting of using a dummy DNS forwarder (at least I think that is what you are suggesting) appears to work though:

    C:\Users\tomda>ping use-application-dns.net
    Ping request could not find host use-application-dns.net. Please check the name and try again.

    The Time-out does take a pretty long time (because I pointed it to an internal IP address that is not in use)

  • In reply to tomba:

    Yes, I meant to suggest using a DNS Request Redirect option under Network Services > DNS > Request Routing Something like this:



    And I'm not sure if we can do anything about the timeout.