use-application-dns.net should not be sinkholed about adaway.github.io HOT 7 CLOSED

I don't know. I'm thinking about it. I guess I will remove it. Currently in the Firefox for Android app yes, you can manually disable DoH. I don't know if they take that ability away in the new Firefox Preview version, though.

from adaway.github.io.

Following up:

1. Pi-hole v4.4 default - canary domain on blocklist
   A/AAAA returns 0.0.0.0 / :: and DoH is enabled.
2. Pi-hole v4.4 default - canary not on blocklist
   A/AAAA returns NXDOMAIN from the added server=/use-application-dns.net/ entry added in this version and DoH disabled.
3. Pi-hole less than v.4.4 - canary not on blocklist
   DoH enabled.
4. Pi-hole (any version) in NXDOMAIN blocking mode - canary domain on blocklist
   A/AAAA returns NXDOMAIN from canary on blocklist and DoH disabled.

from adaway.github.io.

I thought this would force DoH off but instead it sounds like it just switches the resolution from actually resolving to Mozilla's server to simply resolving successfully to a 0.0.0.0 IP for pi-hole.

For the Android app NetGuard it returns a DNS response of 3 (or NXDOMAIN) when a hostfile includes a domain.

I have a pi-hole at home as well so my question is this: how would have that domain return NOERROR (NXDOMAIN/SERVFAIL) response so that pi-Hole handles Firefox's DNS lookups? It sounds like to get it to work, you would have to have it on a list but then configure pi-hole w/ an NXDOMAIN or SERVFAIL response rather than resolving to a 0.0.0.0 address, correct?

with a pi-hole in default configuration:

Scenario 1: have it on a blocklist. It resolves to 0.0.0.0 and Firefox enables DoH

Scenario 2: it isn't on a blocklist. It resolves to 63.245.208.212 and Firefox enables DoH

with a pi-hole in NXDOMAIN response configuration:

Scenario 3: have it on the blocklist and change pi-hole config to respond with NXDOMAIN response instead of a 0.0.0.0 address

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=NXDOMAIN

I would think you would have to change pi-hole's configurations AND have it on a blocklist to get pi-hole to tell Firefox not to use cloudflare, right?

from adaway.github.io.

If you do a lookup of use-application-dns.net to a standard upstream resolver such as Cloudflare, it will return the IP of 63.245.208.212. With the latest version of Pi-hole, FTL will return NXDOMAIN for that query.

from adaway.github.io.

but then for NetGuard on Android users it will pass through since it doesn't have such a hardcoded rule.

from adaway.github.io.

I'm not too sure how the Android side of things would work - would there not be a system-wide (or Firefox application-wide) setting to toggle this functionality somewhere?

from adaway.github.io.

Just to follow up on this, as there unfortunately have been made changes to this...

I can unfortunately confirm this misbehavior from FF

dig use-application-dns.net 

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> use-application-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43650
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

from adaway.github.io.