I want to be prepared because I want my parental control (PaKon) to be working. They say you have to have special domain name use-application-dns.net returning NXDOMAIN in this case.
What exactly do I have to set in my Omnia and where?
They also say that the user will always be able to choose that he wants to use DoH in all circumstances.
Does that mean that this is another way how to bypass PaKon?
This for US based clientèle, though I am not sure how Moz is figuring that location out (WAN ip sniffing | browser locale | OS locale ?).
There is not much you can do on the router. DoH, if enabled in any application (here the browser), will bypass any/all resolver set anywhere else. That is unless blocked by firewall, which though will be tough with DoH upstream connecting https port 443…
Well, more precisely this will work as-is only if you don’t use the Foris-click forwarding, as those instructions will take precedence (by default). In those cases it’s probably easier to just add the forwarding instructions by hand instead, under your filtering rules.
Right, that step would make the above rule useless.
I’m actually not sure how much PaKon is affected. It can see IP addresses, that’s for sure (unless the client runs some VPN, tOR, etc.), and IIRC it can parse names from SNI which is usually not encrypted yet.
Curious how that works if the user of the (parental) controlled device uses FX and enables DoH in the browser setting, which then connects to CF via https over port 443?
Yes, that simple step will avoid the usual parental filters… but that option has been there for several releases already. If an ISP gathers data from DNS (“maliciously”), they can simply block this canary domain and continue the same even after this update. IMO the current Mozilla’s compromise will satisfy very few critics.
Suppose the point the OP was making that it will be turned on by default (for the US based user, however that is determined) and that being different from knowing about the settings and consciously enabling it.
Perhaps a bit digressing from the thread topic - just wanted to point out this holds true for any ISP wanting to block upstream traffic to DNS nodes other than their own. There are plenty of DPI tools like this one catering to that market.