Disable DNS over HTTPS in Firefox

snook
New Contributor III

I was looking everywhere for this info so hopefully this will help some of you too:

With the new v70 of Firefox, DNS over HTTPS is turned on by default.

Our Network and InfoSec dept do NOT like that and asked us to disable and block this.

After some research I have found that a policies.json file with the following text will disable and grey out the DoH setting in Firefox.

{

"policies": {

"DNSOverHTTPS": {

"Enabled": false,

"Locked": true

}

}

}

Tested in ESR and normal FF, v 68 and up.

This file has to be in Applications/Firefox.app/Contents/Resources/distribution to work and it is global not user based, which is a good thing. The distribution folder is not there so you will have to make it and add the json file

It does require a restart to FF after the push

There are a number of ways to deploy this: use a script to mkdir and write the file, create an ongoing policy to deliver the file from a dmg with smart group or Extension Attribute to scope, and I'm sure there are more.

You can also bake this file into your installers with AutoPKG or whatever deployment you use.

Hope it helps someone.

1 REPLY 1

snook
New Contributor III

JIC anyone wants to know why we need it disabled

From Firefox KB:

"While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

Networks that have implemented some sort of filtering via the default DNS resolver. This can be used to implement parental controls or to block access to malicious websites.
Networks that respond to names that are private, and/or that provide different responses than are provided publicly. For example, a company may only expose the address of an application used by employees on their internal network."

Our enterprise has Akamai Enterprise Threat Protector and this directly impacts investment/value of Akamai Enterprise Threat Protector as DoH would prevent AETP to DNS queries to review for malware or intrusion events.