Thursday, October 17, 2019
You know, we might as well just run every network service over HTTPS/2 and build another six layers on top of that to appease the OSI 7-layer burrito guys
I've seen the writing on the wall, and while for now you can configure Firefox not to use DoH, I'm not confident enough to think it will remain that way. To that end, I've finally set up my own DoH server for use at Chez Boca. It only involved setting up my own CA to generate the appropriate certificates, install my CA certificate into Firefox, configure Apache to run over HTTP/2 (THANK YOU SO VERY XXXXXXX MUCH GOOGLE FOR SHOVING THIS HTTP/2 XXXXXXXX DOWN OUR THROATS!—no, I'm not bitter) and write a 150 line script that just queries my own local DNS, because, you know, it's more XXXXXXX secure or some XXXXXXXX reason like that.
Sigh.
And then I had to reconfigure Firefox using the “advanced configuration page” to tweak the following:
| variable | value |
|---|---|
| variable | value |
network.trr.allow-rfc1918 | true |
network.trr.blacklist-duration | 0 |
network.trr.bootstrapAddress | 192.168.1.10 |
network.trr.confirmationNS | skip |
network.trr.custom_uri | https://playground.local/cgi-bin/dns.cgi |
network.trr.excluded-domains | |
network.trr.max-fails | 15 |
network.trr.mode | 3 |
network.trr.request-timeout | 3000 |
network.trr.resolvers | 192.168.1.10 |
network.trr.uri | https://playground.local/cgi-bin/dns.cgi |
I set network.trr.mode to “3” instead of “2” because it's coming.
I know it's just coming so I might as well get ahead of the curve.
