My Profile Photo

Sheogorath's Blog

Manage Firefox on Fedora

on

When you run Firefox in an enterprise environment, you are for sure interested in deploying your settings and not rely on the defaults. This whole topic got even more important with the deployment of DNS over HTTPS (DoH) in Firefox.

Many enterprise people complained that Firefox doesn’t use the company DNS server and this way prevents local DNS requests, circumvents Intrusion Detection Systems and leaks data to centralized entities like Cloudflare1.

You have two options to handle this problem: Either you ignore it and let Firefox do whatever it likes, while may try to prevent it using some kind of network trick, or you proof that you are the admin of the system and use the admin interface provided by Firefox.

Prepare the interface

Configuring a policy for Firefox is sadly not as trivial as it should be, but non the less, possible.

First of all, you need to tell Firefox that you want to provide a configuration for it. On Fedora Firefox is installed in /usr/lib64/firefox/.

You need to create an autoconfig.js in order to reference your preferred Firefox configuration file. In order to do this, you have to add the following content at /usr/lib64/firefox/defaults/pref/autoconfig.js:

pref("general.config.filename", "firefox.cfg");
pref("general.config.obscure_value", 0);

This configures Firefox to load /usr/lib64/firefox/firefox.cfg. Please note that according to the Firefox documentation, the directory of this file can not be changed.

We need the firefox.cfg, to configure browser.policies.perUserDir to be false. Otherwise the policies.json which will provide our settings, will depend on the user’s home directory and therefore his good will. In order to prevent that and make Firefox using the system-wide policies.json, the firefox.cfg should contain the following:

//Enable policies.json
lockPref("browser.policies.perUserDir", false);

Note that the first line of comment is required. Firefox will ignore whatever is written in the first line.

Create the policy

In order to create a proper Firefox policy, I recommend to use the Enterprise Policy Generator. This handy tool allows you to easily generate a policies.json with your preferences.

When you want to configure DoH to use https://dns.shivering-isles.com it would look like this:

{
  "policies": {
    "DNSOverHTTPS": {
      "Enabled": true,
      "Locked": true,
      "ProviderURL": "https://dns.shivering-isles.com/dns-query"
    }
  }
}

This will force DoH to be enabled and to use my DoH server. The user can’t change this setting. You can of course also use this policy to disable DoH. But keep in mind, that running a DoH Server isn’t very complicated and effectively prevents other network admins from tinkering with your DNS security policies.

Deploy the policy

To deploy the policy, you need to create the policies.json at /usr/lib64/firefox/distribution/policies.json. On Fedora the directory should already exist and contain another file.

The policy will be applied to all Firefox processes from the next start.

In order to deploy this configuration properly, you might want to create an own RPM package, that you can install on your systems.

Name:       firefox-shivering-isles-policy
Version:    0.1.0
Release:    1%{?dist}
Summary:    Simple Firefox policy for DoH
License:    CC0

%description
This is a simple example for a Firefox policy package

%prep
# we have no source, so nothing here

%build
cat > autoconfig.js <<EOF
pref("general.config.filename", "firefox.cfg");
pref("general.config.obscure_value", 0);
EOF

cat > firefox.cfg <<EOF
//Enable policies.json
lockPref("browser.policies.perUserDir", false);
EOF

cat > policies.json <<EOF
{
  "policies": {
    "DNSOverHTTPS": {
      "Enabled": true,
      "Locked": true,
      "ProviderURL": "https://dns.shivering-isles.com/dns-query"
    }
  }
}
EOF

%install
mkdir -p %{buildroot}/usr/lib64/firefox/defaults/pref/
mkdir -p %{buildroot}/usr/lib64/firefox/distribution/
install -m 644 autoconfig.js %{buildroot}/usr/lib64/firefox/defaults/pref/autoconfig.js
install -m 644 firefox.cfg %{buildroot}/usr/lib64/firefox/firefox.cfg
install -m 644 policies.json %{buildroot}/usr/lib64/firefox/distribution/policies.json

%files
/usr/lib64/firefox/defaults/pref/autoconfig.js
/usr/lib64/firefox/firefox.cfg
/usr/lib64/firefox/distribution/policies.json

%changelog
* Tue Nov 12 2019 Sheogorath <firefox-fedora-example@sheogorath.shivering-isles.com> - 0.1.0
- First example version of the policy

Note: This RPM spec-file example is a proof of concept, to show you how things could be done. You should keep package content in version control.

Conclusion

The configuration management in Firefox is a little mess. But once you figured it out, it becomes easy to handle. Create a policy in your browser, put it into your deployment tooling and you get your systems configured in no time.

Now you can happily deploy DoH in your organization and keep network attacker out of your DNS traffic.2

Photo by Maksym Kaharlytskyi on Unsplash

  1. The provider of the DoH server configured by default in Firefox. 

  2. Please be aware that DoH, enabled this way, will not be stopped by the canary domain