Bypass DNS Controls with DNS over HTTPS (no bootstrap required)

Bypass DNS Controls with DNS over HTTPS (no bootstrap required)

I have a love/hate relationship with DNS over HTTPS (DoH). While I see it’s usefulness for those who live in less than savory political conditions, I also see it causing huge headaches for sysadmins — shadow IT, pen testers and hackers bypassing controls, etc. Nonetheless, this is a walkthrough for those interested in bypassing in-place DNS controls with DoH and *not* using a bootstrap address.

Changelog
18Feb2019 – Originally posted

Many articles discuss how to configure a browser (specifically Firefox) for DoH. The only problem is the initial query is made to a standard DNS server via an IP address, commonly referred to as the bootstrap address. Thus, DoH really only takes off after that initial query as shown below.

DNS over HTTPS with bootstrap address

What happens if someone really doesn’t want you to use DoH so they blackhole DNS queries to the major providers? In these cases, your *next* query to the DoH server would fail. In addition, if your set your TRR mode to “2” as most tutorials suggest, you would just end up using the standard DNS for all DNS queries anyway.

0 — Off (default). To use operating system resolver.
1 — Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
2 — First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
3 — Only. Only use TRR. Never use the native (after the initial setup).
4 — Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
5 — Off by choice This is the same as 0 but marks it as done by choice and not done by default.

Link to original post of above table/descriptions

The answer lies in skipping the bootstrap address altogether. This is accomplished by switching the TRR mode to “3” and setting the TRR URI to CloudFlare’s DoH service using the IP address instead of the standard DNS name. Basically, substitute 1.1.1.1 in for cloudflare-dns.com. At this time, CloudFlare is the only major DNS provider that I know of who supports this configuration although I wouldn’t be surprised to find others such as Google and Quad9 to follow suit.

To configure this in Firefox, simply type in “about:config” in the address bar. Click through the warning that you accept the risk. Next, type in “network.trr” (minus the quotes) in the search to narrow down your results. Finally, input the two values as shown below. The bootstrap address is only highlighted in the image to show it is the default value, i.e. not needed.

network.trr.mode = 3
network.trr.url = https://1.1.1.1/dns-query

Firefox settings for DoH without a bootstrap address

Happy unfiltered DNS querying! And please only use this info only for good. 😉 Keep in mind this particular method (via Firefox) is only good for your DNS traffic related to Firefox web browsing. However, this methodology can be applied to any DoH client.

Leave a Reply

Your email address will not be published. Required fields are marked *