Menu
What's new
By:
Filters Better Search

Prevent client auto DoH

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

X

Xboxsx4life

Occasional Visitor
Hello. I'm running AX86U Pro with latest Merlin release. I've reviewed this thread...

www.snbforums.com

Prevent client auto DoH

Hi, with regards the setting for Prevent client auto DoH, wanted to be sure I understand what the "Yes" option means. I see the release notes say: Added option to prevent automatic DoH upgrade by Firefox. By default this option will only prevent automatic upgrade if you use DNSFilter or...
www.snbforums.com www.snbforums.com

...but I'm still not clear on the difference between "Auto" and "Yes" for the "Prevent client auto DoH" setting when using a DNS filter with DoT.

I currently have DoT enabled in strict mode with Cloudflare's resolvers. And I have Prevent client auto DoH set to "Auto". Should this be changed to "Yes"?

Capture.PNG
 
Many Asuswrt settings will display a context help popup if you click on the label:

1707424329575.png
 
sfx2000 said:
Just note that DoH depends on a white/black list of hosts...
Click to expand...
The way my Prevent auto DoH works is through the APIs used by Windows and Firefox.

In Firefox's case, it won't auto-promote to DoH if the use-application-dns.net hostname resolves to NXDOMAIN or no valid record.

Canary domain - use-application-dns.net | Firefox Help

Network administrators may configure their networks to modify DNS requests for the following special-purpose domain, called a ''canary domain''.
support.mozilla.org support.mozilla.org

In Windows' case, it works by preventing DDR (Discovery of Designed Resolver) from working:
techcommunity.microsoft.com

Making DoH Discoverable: Introducing DDR

Discovery of Designated Resolvers (DDR) is available to Windows Insiders to dynamically discover DoH configurations
techcommunity.microsoft.com
 
Thanks for everyone’s responses. Much appreciated. Final follow up question…

How valuable would it be to enable rebind protection? I understand what it does but not sure how much additional security it would add given that it can break certain services from what I’ve read. I’m using DoT in strict mode with ‘DNSSEC’ and ‘validate unsigned replies’ both enabled. Just not sure if it’s worth enabling rebind protection too.

Thanks again.
 
Last edited:
RMerlin said:
The way my Prevent auto DoH works is through the APIs used by Windows and Firefox.

In Firefox's case, it won't auto-promote to DoH if the use-application-dns.net hostname resolves to NXDOMAIN or no valid record.

Canary domain - use-application-dns.net | Firefox Help

Network administrators may configure their networks to modify DNS requests for the following special-purpose domain, called a ''canary domain''.
support.mozilla.org support.mozilla.org

In Windows' case, it works by preventing DDR (Discovery of Designed Resolver) from working:
techcommunity.microsoft.com

Making DoH Discoverable: Introducing DDR

Discovery of Designated Resolvers (DDR) is available to Windows Insiders to dynamically discover DoH configurations
techcommunity.microsoft.com
Click to expand...
Hi. Do you know how Asus implements this: "Prevent client auto DoH" and exactly how it works? Also are there any cons or side effects when set to Yes? Thank You very much for your insight.
I have an RT-AX86U Pro with the latest Asus firmware 3.0.0.6.102_34313 and with Filter Mode: Safe Quad9.
 
Last edited:
Intrepid said:
Hi. Do you know how Asus implements this: "Prevent client auto DoH" and exactly how it works?
Click to expand...
Asus didn't implement this, I did.

All it does is sinkhole a few specific domains that are used by various clients to determine if automatic promotion to DoH should be done or not.

Code: 
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
address=/mask.icloud.com/mask-h2.icloud.com/

First one is for Firefox, second one is for Windows, and third one is for iOS.
 
RMerlin said:
Asus didn't implement this, I did.

All it does is sinkhole a few specific domains that are used by various clients to determine if automatic promotion to DoH should be done or not.

Code: 
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
address=/mask.icloud.com/mask-h2.icloud.com/

First one is for Firefox, second one is for Windows, and third one is for iOS.
Click to expand...
Thanks! Several people last year claim it broke Apple iCloud. But I don't see an iCloud issue after testing two Windows PCs.
See: https://zentalk.asus.com/t5/network...ffecting-icloud-connection/td-p/379654/page/2
Any side effects we should be aware of when "Prevent client auto DoH" is set to Yes using stock Asus firwmware?
"Asus didn't implement this, I did." Does this mean you wrote the code and Asus adopted it? :)
Thank You again.
 
Intrepid said:
Several people last year claim it broke Apple iCloud.
Click to expand...
It does not. What it does is prevent iCloud Private Relay from bypassing your router's configured DNS servers, which is the point behind this toggle option.
Intrepid said:
Does this mean you wrote the code and Asus adopted it?
Click to expand...
Yes. There's quite a few pieces of code in upstream Asuswrt that originally came from Asuswrt-Merlin, it's nothing really exceeptional here. Although Asus only prevents Firefox' auto DoH promotion from working, they didn't implement (so far) the additional sinkholes.
 
You must log in or register to reply here.

Similar threads

badaz
LAN - DHCP - prevent auto DoH?
Replies
5
Views
517
badaz
badaz
RMerlin
  • Locked
Beta Asuswrt-Merlin 386.13 beta is now available for AC models
2
Replies
32
Views
6K
RMerlin
RMerlin
RMerlin
  • Locked
Release Asuswrt-Merlin 3004.388.7 is now available
20 21 22
Replies
435
Views
62K
KronFace
K
RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.7 beta is now available
5 6 7
Replies
123
Views
16K
RMerlin
RMerlin
RMerlin
Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models
2 3 4
Replies
79
Views
18K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
S Prevent client from connecting to router but allow connection to internet via access point Asuswrt-Merlin 4
S prevent a jffs script to be run twice in parallel Asuswrt-Merlin 1
postoronnim-v How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)? Asuswrt-Merlin 18
saison2023 Any way to disable/prevent start of a script without uninstalling it ? Asuswrt-Merlin 4
R Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session Asuswrt-Merlin 7
J Prevent bypassing AGH DNS Asuswrt-Merlin 5
T Prevent wanduck's restart_wan_if on WAN connection coming back? Asuswrt-Merlin 3
A Prevent and Stop WAN connection unless Diversion and USB device is working! Asuswrt-Merlin 6
D Prevent a loop caused by connecting to AX86U wireguard server? Asuswrt-Merlin 15
Panic Button Wireguard client optional DNS Server setting Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,124 (members: 23, guests: 1,101)
Top