I'm working on our DoH implementation. I'm guessing this is a split-horizon set up with a domain that resolves both internally and externally. If you are willing, we're very interested in these situations and coming up with heuristics to detect and disable DoH proactively. We're also looking into standards changes that could make these configurations more reliably detectable at the application level. I'm selena at mozilla.com.
As a sysadmin who rails against split-horizon DNS (usually around Active Directory implementations where brain-damaged people have named the AD domain the same as a public Internet domain name) I'm already getting a churning feeling in my stomach thinking about how software is going to mishandle this scenario in DNS-over-HTTPS.
It's going to be particularly god-awful for devices that roam between networks where the "internal" DNS is visible and networks where it isn't. Ugh...
My organization does this (AD domain appears to be the same as the public domain name), and I also had problems when I opted into the HTTPS DNS trial. As in, no internal servers resolved.
I had thought that internal networks these days would favor multicast resolution (LLMNR/mDNS), but that doesn't appear to be the case here. Admin work is not my wheelhouse, so I have no idea what standard practice is. What is the recommended setup for AD and name resolution configuration?
For now, we recommend having an enterprise policy for the browser configured. That is the best indication we have that the browser configuration is managed and this kind of issue might occur. We're also open to recommendations from admins on other things that might clue us in that we're in this situation. Finally, we're discussing the possibility of establishing a network standard that signals more strongly that "name shadowing" is occurring... like maybe there's some DNS response that can be configured locally that we can look to proactively and then disable DoH.
> usually around Active Directory implementations where brain-damaged people have named the AD domain the same as a public Internet domain name
I don't like this one either, but often it is inherited from the past from other people and it is not going to change.
On the other hand, split-horizon DNS is going to stay with us, even if the AD domain is a subdomain of the public one. Records in the internal zone are not going to become public anytime soon.
We're working on exceptions support, which would allow specific domains to be looked up via DNS instead of DoH. In that case, mirroring a blackhole list to the exceptions support would result in what you want (I mean, if I understand what you're asking).
Uplift to us is bringing the patches into mozilla-central pref'd off so that Tor developers can just pref features on, rather than re-merge patches for each major and dot release. We also add tend to add tests.
I know some of the women who have volunteered to teach and they love this program. The kids come away with working software and produce something that they can immediately see the value of.
I'm speaking for myself and what I think, rather than on behalf or Postgres or any company. I assume you are also referring to the possibility of a private fork.
What I've seen in the Postgres community is a group of developers that takes an aggressive stance against companies "taking advantage" of the developer community. Companies that invest both time and money in development get far more attention for their patches than companies that try to either throw code over the fence, or do "drive by" development projects.
Tom deciding to take this job indicates to me that it is because Salesforce is making a significant investment in open source Postgres.
The talk that they censored WAS TO BE GIVEN BY A WOMAN.
That doesn't really hold up their argument of sexualized environments in tech being inherently hostile to women participating, does it?
Anyone who examines this can see that this is simply a personal censorship crusade by Ms. Aurora, presumably as a result of her own sex-related trauma(s) and/or upbringing. (Google her and her father for her own account of it— it's not ad hominem.)[1]
Just because her psyche has been damaged does not mean she has the right to attempt to censor others who are not participating in discriminatory behavior. The whole thing about "exploit" in the title being a synonym for rape (as in exploiting a system without the owner's consent) illustrates how ridiculous her flimsy argument against it was and is.
This sort of concern-trolling makes women in tech appear to be hard to work with or require special handling/censorship considerations, and is actively harmful to the struggle for gender equality. It has absolutely no place whatsoever at a tech conference.
I find the continued personal attacks on Val to be disgusting and an embarrassment to people in the hacker and security communities. I no longer consider myself to be part of those communities, but once was.
My hope is that people see these statements for what they are: disgusting personal attacks.
