In my home lan i've installed a pizero with pihole with
static ip 192.168.1.201

From another host 192.168.1.200 i try:

$ dig youtube.com

But firefox can visit youtube.

How could an application use a different dns resolution procedure?

I have cleared firefox dns cache :
about:networking#dns

What are you asking?

192.168.1.201 is doing NAT? And it has it's own DNS config?

What is in resolv.conf for 192.168.1.200, are you using 192.168.1.201 as your DNS? Looks like it.

192.168.1.201 is a pizero where i installed pihole. I dont know anything else about its config.
And its attached by cable to the home gateway.


That /etc/resolv.conf in the host 192.168.1.200 from where i try the tests.
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.1.201
nameserver 192.168.1.201
nameserver 192.168.1.1
nameserver fe80::1%wlxc025e91a0bef


And:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

....
#hosts: files dns mdns4_minimal [NOTFOUND=return]
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files
....

yep hosts is only to files!! but firefox has no problem! but ping does!


systemd services running:
resolvconf.service
dhcpcd.service
NetworkManager.service
---------------------------------------------------
I have disabled systemd-resolved service.
I cant disable resolvconf.service

I dont now who wrote to /etc/resolv.conf . I had only one entry in :
/etc/resolvconf/resolv.conf.d/head
nameserver 192.168.1.201

I'm not certain, but this might be relevant: https://blog.mozilla.org/blog/2020/0...-for-us-users/

2 members found this post helpful.

Thanks. Indeed. Firefox seems to do its own dns resolution. In a host
of my homelan with a headless pizero + pihole wired to the gateway ,
epiphany , falcon and chromium use the /etc/resolv.conf which point to
my pihole. Only firefox 84.0.2 do it owns dns resolution.
Could other forum members please fact-check that?

So its weird the firefox says it tried to do something good , like securing the dns resolution , but it in my case it took two nights of troubleshooting , messing with :

/etc/network/interfaces

/etc/hosts

/etc/nsswitch.conf

systemd-resolved

resolvconf.service

networkmanager (and it gui+text utilities nmcli ..)

dhcpcd (thats a dhcp server that i dont know why
it was installed. i removed it eventually)

dhcp client

and netplan!...

and all the above x 4 (as the hosts of my homelan)

just to find out that firefox does dns resolution on its own.

Now i have uninstalled it on that host.


So sidetracking a little i am wondering can a linux distro or a homelan ''admin'' enforce a single dns resolution policy?

And sidetracking a little more.. Do a little home-host needs all that dns-network services, caches , middlewares etc ?

I wrote a question weeks ago in LQ on seeing containers as overprovisioned guests.
Now do we have also have home host distros with overprovisioned lan configuration ?

Not necessarily. Mine doesn't, and doesn't default to it either.
Have you checked
Preferences => General => Network Settings => Settings => Enable DNS over HTTPS
???

Thanks. I checked it. It's not enabled.
Still if that was the case , wouldn't that qualify as 'firefox does it's own dns resolution'
since it ignores /etc/resolv.conf ?

Anyway still firefox does sth different. I see in my pihole that it tries mozilla-cloudfare.com .

^ Yes, I was hoping you'd have to UNcheck it.

Interersting. NSA has made a public announcement on DoH.

Without being a spy , my recent experience with the pihole , makes me also sceptical of the shortcomings of allowing
each application in a system to has its own dns resolution process, creating issues with any effort for central
control of dns traffic in a network.

FF defaults to using cloudflare for DNS over HTTPS; personally, I don't see how this is an improvement to unencrypted DNS reequests.

1 members found this post helpful.

I don't think its aimed at security. It's more aimed at being inclusive. Cloudflare probably doesn't censor who is in its dns list. So by forcibly using those DNS servers, you can bypass any censorship being implemented at the local and ISP level.

It was probably implemented as a feature to defeat China and Russian internet censorship, amongst the many other countries. It isn't about security.

@OP. Try Seamonkey latest version if you need a FF type browser that has less crap in it. It uses latest ESR code but doesnt come with the DNS bypass as far as I know, not yet anyway. Alternatively, you could compile from source and get rid of those features maybe at the compile level. I honestly dont see FF being usable by corporate or business clients very soon. The amount of bloat that gets added is making it less of a good choice.

1 members found this post helpful.