Thursday, October 3, 2019
What is happening? Firefox will be prevented from making DNS requests to Cloudflare in order to protect users against phishing and malware attacks.
Why is this happening? Mozilla plans to enable the ability to make DNS queries over HTTPS (DoH) for Firefox version 69+ by default, regardless of a user's operation system configuration. As a result, users of Firefox and Chrome on campus will not be able to resolve certain subdomains or anything with RFC1918 reserved IPs. Google will also be enabling the ability to make DNS queries over HTTPS for Chrome.
What does this mean? For example, the nexus.uwaterloo.ca domain is not public; a Firefox user with the default DNS over HTTPS configurations will not be able to visit foo.nexus.uwaterloo.ca in their browser or resolve any name pointing to a private IP.
- While IST could send configurations to modify or to disable DoH on managed systems, users of unmanaged systems and campus visitors may not be able to access certain campus resources.
- However, Mozilla has an option for enterprises who wish to block DoH: campus DNS servers could be configured to return NXDOMAIN for a "canary" domain, documented by Mozilla.
What do users have to do? No action is required by users, this is for information only.
Questions or concerns? Please contact your local IT representative.