diff --git a/config/knot-resolver/kresd.conf.d/070-policy-doh-canary.conf b/config/knot-resolver/kresd.conf.d/070-policy-doh-canary.conf deleted file mode 100644 index df0992c..0000000 --- a/config/knot-resolver/kresd.conf.d/070-policy-doh-canary.conf +++ /dev/null @@ -1,7 +0,0 @@ --- Disable DNS-over-HTTPS in applications --- https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet/ - -policy.add(policy.suffix( - policy.DENY_MSG('This network is unsuitable for DNS-over-HTTPS'), - {todname('use-application-dns.net.')} -)) diff --git a/config/knot-resolver/kresd.conf.d/070-policy-special.conf b/config/knot-resolver/kresd.conf.d/070-policy-special.conf index 3921e71..68e6aa1 100644 --- a/config/knot-resolver/kresd.conf.d/070-policy-special.conf +++ b/config/knot-resolver/kresd.conf.d/070-policy-special.conf @@ -1,7 +1,20 @@ -- Add rules for special-use and locally-served domains -- https://www.iana.org/assignments/special-use-domain-names/ -- https://www.iana.org/assignments/locally-served-dns-zones/ - for _, rule in ipairs(policy.special_names) do policy.add(rule.cb) end + +-- Disable DNS-over-HTTPS in applications +-- https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet/ +policy.add(policy.suffix( + policy.DENY_MSG('This network is unsuitable for DNS-over-HTTPS'), + {todname('use-application-dns.net.')} +)) + +-- Allow "*-dnsotls-ds.metric.gstatic.com" as it is necessary for DNS-over-TLS functionality on Android +-- https://android.googlesource.com/platform/packages/modules/DnsResolver/+/bab3daa733894008bf917713f9a72a4ccbbd3b3a/DnsTlsTransport.cpp#150 +policy.add(policy.pattern( + policy.PASS, + '%w+%-dnsotls%-ds\006metric\007gstatic\003com\000$' +))