Configure networks to disable DNS over HTTPS

Firefox Firefox 최종 변경일: 2주, 6일 ago 50%의 사용자가 유용하다고 평가했습니다.
아직 누구도 이 문서의 번역에 참여하지 않았습니다. SUMO 문서 변역에 참여하는 방법에 대해 이미 알고 계시다면, 번역을 시작해 보세요 . SUMO 문서를 번역하는 방법에 대해 알고 싶으시면, 여기서 시작하세요.

At Mozilla, we believe that DNS over HTTPS (DoH) is a feature that everyone should use to enhance their privacy. By encrypting these DNS requests, DoH hides your browsing data from anyone on the network path between you and your nameserver. For instance, using standard DNS queries on a public network can potentially disclose every website you visit to other users on the network as well as the network operator. While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

  • Networks that have implemented some sort of filtering via the default DNS resolver. This can be used to implement parental controls or to block access to malicious websites.
  • Networks that respond to names that are private, and/or that provide different responses than are provided publicly. For example, a company may only expose the address of an application used by employees on their internal network.

Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users. This will first happen for users in the United States in the Fall of 2019, in Canada in the Summer of 2021 and in Russia and Ukraine in March 2022. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

Network administrators may configure their networks to treat DNS requests for a canary domain differently, to signal that their local DNS resolver implements special features that make the network unsuitable for DoH.

In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the “DoH always” preference as mentioned above. The additional checks that will be performed for content filtering are:

  • Resolve canary domains of certain known DNS providers to detect content filtering.
  • Resolve the “safe-search” variants of google.com and youtube.com to determine if the network redirects to them.
  • On Windows and macOS, detect parental controls enabled in the operating system.

The additional checks that will be performed for private “enterprise” networks are:

  • Is the Firefox security.enterprise_roots.enabled preference set to true?
  • Is any enterprise policy configured?

이 문서가 도움이 되셨습니까?

잠시만 기다려 주십시오...

문서 작성 및 변경에 도움 주신 분들

Illustration of hands

도움 주기

전문 지식을 성장시키고 다른 사람들과 공유세요. 질문에 답하고 지식 기반을 개선할 수 있습니다.

자세히 살펴보기