blackice

Level 27
Verified
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
 
Last edited:

JoyousBudweiser

Level 8
Verified
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
 

blackice

Level 27
Verified
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
I've been using it with Quad9. It just happens 2-3 times a day. Just enough for me to not want to toggle it on and off.

eSNI is still a draft and not finished. Also sites need to support that
This is probably the issue. I just happened to stumble upon some sites who don't support it yet.
 

blackice

Level 27
Verified
I have some issues with quad 9 while using it. ( Not with doh but in general) try using nextdns or cloudflare.
I actually have had issue with Quad9 in the past when I had a router with DoT. Apparently Quad9 has a very short timeout set for their encrypted servers according to Merlin on the Smallnetbuilder forums. Cloudflare has a longer timeout tolerance so it sees far fewer issues. Maybe this is the same problem and not a site comparability problem. My router uses Quad9 (unencrypted) already so I can live without DoH. But it’s nice to have.
 

blackice

Level 27
Verified
I don't have this issue but the issue that I have is, if I enable ESNI, Firefox don't load any websites for 15-20 seconds after I open the browser. This is annoying so I toggled it off.
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
 

JoyousBudweiser

Level 8
Verified
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
 

blackice

Level 27
Verified
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
Since my router and AV are checking the IPs being visited on my system I’m not overly concerned about DNS man in the middle. Though the scenario exists that it’s possible, I think it’s more likely that DNS poisonings are occurring. Also DNSSEC exists to help with these problems. I have run simple dnscrypt before, but I’d prefer not to add another driver running.
 
Top