DNS over HTTPS

[jetman]

Hi-

I have heard that Firefox has a setting which uses "DNS over HTTPS". This, according to the article below, is a more secure way of browsing the web.

How do you turn on DNS-over-HTTPS: the Firefox feature that broadband providers hate? - The Big Tech Question

Firefox maker Mozilla has been branded a villain for supporting DNS-over-HTTPS. Find out what it does and how you can switch it on!

bigtechquestion.com

Could anyone let me know their thoughts about this ? Is it a good idea to enable this setting ?

If so, is there a way of enabling this for ALL internet traffic - not just browsing within Windows Firefox ?

Thanks.

 

[bribon77]

I don't use much Firefox, but I don't see anything wrong in using this idea, in short it's like using Cloudflare's DNS thing that I use, it's confusing but you can try it.
(is what I have interpreted)

 

[RoboMan]

DNS-over-HTTPS still has a huge inherited problem from TLS, which is fake certificates. Fake certificates are accesible to most governments or groups and we are talking about breaking encryptions and spying; and this is weird because DoH sounds to be made specifically to avoid governments to intecept communications through standard ISP DNS.

Even known privacy people has opposed DNS-over-HTTPS (including the father of DNS Paul Vixie) and instead recommends DNS-over-TLS, claiming analysts will lose control over their networks.

 

[Nightwalker]

Just use Simple DNSCrypt and get all the benefits of system-wide encrypted DNS plus DNSSEC support and dont forget to enable SNI encryption, with this setup you get maximum performance, security and privacy.

Reference:

Encrypt your DNS traffic with Simple DNSCrypt for Windows - gHacks Tech News

Simple DNSCrypt is a free open source program for Microsoft's Windows operating system to configure dnscrypt-proxy on Windows-based PCs and devices.

www.ghacks.net

Encrypt that SNI: Firefox edition

A couple of weeks ago we announced support for the encrypted Server Name Indication (SNI) TLS extension (ESNI for short). As promised, our friends at Mozilla landed support for ESNI in Firefox Nightl.

blog.cloudflare.com

 

[SeriousHoax]

I do the same as Nightwalker suggested. I use SimpleDnsCrypt on my PC for system-wide DNS Over HTTPS. DNS over HTTPS (DoH) is better than all the other secure alternatives such as DNS over TLS (DoT) and DnsCrypt. On DoH, all DNS queries go through the Port 443 which is used for HTTPS hence the name DoH. Because of it, it's not possible/harder to differentiate DNS queries from regular internet traffic . But DoT usually uses a separate port 853. Your ISP would know anything that is going through port 853 is dns queries so if your ISP decides to block port 853 then you wouldn't have any way to use DoT but they can't block port 443, that's why DoH is more secure and private.
ISPs have become mad at Firefox because Firefox thinking about enabling DoH on their browser by default. U.K.’s Internet Services Providers Association (ISPA) has nominated Mozilla as an Internet villain. Hilarious If DoH is used then ISPs can't track users DNS queries, inject ads and block sites hence their rage on Mozilla.
ISP might still track your dns queries from SNI that's why you need to enable ESNI on Firefox from about:config. Most of the popular site and all the cloudflare hosted sites have ESNI support but ESNI doesn't work with the SimpleDnsCrypt app. So on Firefox also change the value of "network.trr.mode" to 2. Firefox by default uses Cloudflare DNS. Setting the mode to 2 means Firefox is gonna use Cloudflare DoH but if for any reason the server is down or something then it will switch back to your system's or router's default DNS. Cloudflare's privacy policy is already pretty good imo and they have a special agreement with Mozilla so they collect even less anonymous data for Firefox users.
Btw, you can use other DNS that has DoH support on Firefox too for example, Quad9, Cleanbrowsing DNS, Adguard DNS.
It's also possible to block sites via the SimpleDnsCrypt app. You can add websites to the blacklist. Very helpful for blocking ads directly on DNS level on your PC without using something like Pi-Hole.
So, this is what I personally use and recommend.

 

[Decopi]

It's also possible to block sites via the SimpleDnsCrypt app. You can add websites to the blacklist. Very helpful for blocking ads directly on DNS level on your PC without using something like Pi-Hole.
So, this is what I personally use and recommend.

Hi @SeriousHoax !

Please, allow me a question about "Blacklist Rules" at SimpleDnsCrypt. After reading your comment, today (and for the first time) I started to play with this function. I already discovered that " * " can be used, and it's great because reduces a lot the number of entries (compared to hosts file). I just wonder if there are other rules or wildcards that can be applied. And what about REGEXPs? If REGEXPs work at "Blacklist Rules"... then this might have the potential to replace ad-tracker-telemetry-blockers!

Thank you in advance

 

[SeriousHoax]

Hi @SeriousHoax !

Please, allow me a question about "Blacklist Rules" at SimpleDnsCrypt. After reading your comment, today (and for the first time) I started to play with this function. I already discovered that " * " can be used, and it's great because reduces a lot the number of entries (compared to hosts file). I just wonder if there are other rules or wildcards that can be applied. And what about REGEXPs? If REGEXPs work at "Blacklist Rules"... then this might have the potential to replace ad-tracker-telemetry-blockers!

Thank you in advance

Hello, as far as I know rules can't be applied here. Only domain names like you said. Btw, even if you use a huge blacklist it doesn't affect performance. I use a huge blacklist file of 6.09 mb, added some sites to the whitelist and it works without any problem.

 

[weedeezee]

Hello

Can you say am I safe I am useing DNS server they are in my country I am living?

I want I am useing Cloudflaire DNS.

I made test DNS server Cloudflaire same country showing I am living.

Do you say can my country see my DNS going comin?

Google DNS in other country showing.

Do you shuld I use Cloudflaire or Google?

I am asking privacy I am wanting.

Thank you very much.

 

[HarborFront]

Hello

Can you say am I safe I am useing DNS server they are in my country I am living?

I want I am useing Cloudflaire DNS.

I made test DNS server Cloudflaire same country showing I am living.

Do you say can my country see my DNS going comin?

Google DNS in other country showing.

Do you shuld I use Cloudflaire or Google?

I am asking privacy I am wanting.

Thank you very much.

You can try KeweonDNS or Cleanbrowsing DNS. Both support DNS-Over-Https and no logging

 

[weedeezee]

You can try KeweonDNS or Cleanbrowsing DNS. Both support DNS-Over-Https and no logging

Hello

I want useing Cloudflaire.

I made test DNS Server Cloudflaire same country showing I am living.

Do you should use DNS in my same country?

I am liveing X country.

Cloudflare DNS server place I am making test showing X country.

Do you say It is bad can X country look my DNS but not can look when I useing DNS server in Y country?

I am asking because privacy.

 

[upnorth]

major Internet service providers have cried foul. In a September 19 letter to Congress, Big Cable and other telecom industry groups warned that Google's support for DNS over HTTPS (DoH) "could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues." On Sunday, The Wall Street Journal reported that the House Judiciary Committee is taking these concerns seriously. In a September 13 letter, the Judiciary Committee asked Google for details about its DoH plans—including whether Google plans to use data collected via the new protocol for commercial purposes.

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

DNS over HTTPS will make it harder for ISPs to monitor or modify DNS queries.

arstechnica.com

 

[silversurfer]

DNS-over-HTTPS causes more problems than it solves, experts say

Several experts, companies, and national entities have voiced very convincing concerns about DoH and its features.

www.zdnet.com

 

[blackice]

DNS-over-HTTPS causes more problems than it solves, experts say

Several experts, companies, and national entities have voiced very convincing concerns about DoH and its features.

www.zdnet.com

I’ve always felt skeptical of DoH and only ever tried DoT when I had an ASUS router than ran Merlin’s firmware. Even DoT doesn’t fix some of those issues.

 

[Azure]

Over Wilderssecurity the user Beyonder posted this program which has been working well for me so far.

YogaDNS - The Most Advanced DNS Client for Windows

yogadns.com

Since I already posted about a DNS program for Windows, I thought of posting another one which works on iPhone

Dnscloak. It allows me to change DNS even on mobile network.

 

[SeriousHoax]

@Azure Does YogaDNS has host blocking feature similar to SimpleDNSCrypt?

 

[Azure]

@Azure Does YogaDNS has host blocking feature similar to SimpleDNSCrypt?

Like this?


I haven't used simplednscrypt in quite some time so I don't remember what blocking feature you are referring to.

 

[SeriousHoax]

Like this?


I haven't used simplednscrypt in quite some time so I don't remember what blocking feature you are referring to.

For example, the domains you put in your host file is blocked. Similarly SimpleDNSCrypt has a feature where you can select a text file containing all the domains you want to block so your PC won't make any dns queries for those domains. So it's possible to use it as a host based adblocker.

 

[Azure]

For example, the domains you put in your host file is blocked. Similarly SimpleDNSCrypt has a feature where you can select a text file containing all the domains you want to block so your PC won't make any dns queries for those domains. So it's possible to use it as a host based adblocker.

From what I see the program does allows you to make block rules.

Did one for Google.com and *.org and it managed to block them. However it doesn't seem like you can import hostnames via text file. At the very least I haven't seen it.

 

[Azure]

I contacted them. The feature to import domains is not supported but they plan to add it in the next versions.

Though they suggested if I wanted to copy/paste a domain to manually open the configuration file YogaDNS (human-readably XML)

 

[SeriousHoax]

I contacted them. The feature to import domains is not supported but they plan to add it in the next versions.

Though they suggested if I wanted to copy/paste a domain to manually open the configuration file YogaDNS (human-readably XML)

I tired but even after doing this correctly it says there's wrong symbols in my rules.