Prevent client auto DoH

Xboxsx4life · Feb 8, 2024

Hello. I'm running AX86U Pro with latest Merlin release. I've reviewed this thread...

Prevent client auto DoH

Hi, with regards the setting for Prevent client auto DoH, wanted to be sure I understand what the "Yes" option means. I see the release notes say: Added option to prevent automatic DoH upgrade by Firefox. By default this option will only prevent automatic upgrade if you use DNSFilter or...

www.snbforums.com

...but I'm still not clear on the difference between "Auto" and "Yes" for the "Prevent client auto DoH" setting when using a DNS filter with DoT.

I currently have DoT enabled in strict mode with Cloudflare's resolvers. And I have Prevent client auto DoH set to "Auto". Should this be changed to "Yes"?

dave14305 · Feb 8, 2024

If DNS Privacy or DNS Director are enabled, the Auto option means “Yes.” If neither are enabled, Auto means “No.”

Xboxsx4life · Feb 8, 2024

Perfect. Thank you.

RMerlin · Feb 8, 2024

Many Asuswrt settings will display a context help popup if you click on the label:

sfx2000 · Feb 8, 2024

Just note that DoH depends on a white/black list of hosts...

RMerlin · Feb 9, 2024

sfx2000 said:
Just note that DoH depends on a white/black list of hosts...

The way my Prevent auto DoH works is through the APIs used by Windows and Firefox.

In Firefox's case, it won't auto-promote to DoH if the use-application-dns.net hostname resolves to NXDOMAIN or no valid record.

Canary domain - use-application-dns.net | Firefox Help

Network administrators may configure their networks to modify DNS requests for the following special-purpose domain, called a ''canary domain''.

support.mozilla.org

In Windows' case, it works by preventing DDR (Discovery of Designed Resolver) from working:

Making DoH Discoverable: Introducing DDR

Discovery of Designated Resolvers (DDR) is available to Windows Insiders to dynamically discover DoH configurations

techcommunity.microsoft.com

Xboxsx4life · Feb 9, 2024

Thanks for everyone’s responses. Much appreciated. Final follow up question…

How valuable would it be to enable rebind protection? I understand what it does but not sure how much additional security it would add given that it can break certain services from what I’ve read. I’m using DoT in strict mode with ‘DNSSEC’ and ‘validate unsigned replies’ both enabled. Just not sure if it’s worth enabling rebind protection too.

Thanks again.

Thread starter	Title	Forum	Replies	Date
S	Prevent client from connecting to router but allow connection to internet via access point	Asuswrt-Merlin	4	Tuesday at 3:11 PM
R	Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session	Asuswrt-Merlin	7	Feb 27, 2024
J	Prevent bypassing AGH DNS	Asuswrt-Merlin	5	Jan 4, 2024
T	Prevent wanduck's restart_wan_if on WAN connection coming back?	Asuswrt-Merlin	3	Dec 14, 2023
A	Prevent and Stop WAN connection unless Diversion and USB device is working!	Asuswrt-Merlin	6	Oct 19, 2023
D	Prevent a loop caused by connecting to AX86U wireguard server?	Asuswrt-Merlin	15	Oct 9, 2023
H	add_wlc_event_tbl(1040): client table was full	Asuswrt-Merlin	0	Monday at 4:12 AM
A	Restart WireGuard client when fails	Asuswrt-Merlin	5	Apr 9, 2024
A	Inconsistencies and broken behavior with client status and DHCP leases - AX86UP 388.6_2	Asuswrt-Merlin	17	Mar 17, 2024
B	Solved Client list in Network Map is empty and changing the System Log verbosity in the web GUI does nothing	Asuswrt-Merlin	7	Mar 6, 2024

Search

Search

Prevent client auto DoH

Xboxsx4life

Occasional Visitor