Advice Request Firefox DoH Encrypted ESNI Issues

Please provide comments and solutions that are helpful to the author of this topic.
blackice

blackice

Level 39
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Apr 1, 2019
2,853
16,879
3,769
USA
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
 
Last edited:
  • Like
Reactions: [correlate] and Brahman
Sort by date Sort by votes
blackice said:
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
Click to expand...
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
 
  • Like
Reactions: [correlate] and blackice
Upvote 0 Downvote
JoyousBudweiser said:
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
Click to expand...
I've been using it with Quad9. It just happens 2-3 times a day. Just enough for me to not want to toggle it on and off.

security123 said:
eSNI is still a draft and not finished. Also sites need to support that
Click to expand...
This is probably the issue. I just happened to stumble upon some sites who don't support it yet.
 
  • Like
Reactions: Stopspying, [correlate], Gandalf_The_Grey and 1 other person
Upvote 0 Downvote
blackice said:
I've been using it with Quad9. It just happens 2-3 times a day. Just enough for me to not want to toggle it on and off.


This is probably the issue. I just happened to stumble upon some sites who don't support it yet.
Click to expand...
I have some issues with quad 9 while using it. ( Not with doh but in general) try using nextdns or cloudflare.
 
  • Like
Reactions: Stopspying, [correlate], Gandalf_The_Grey and 1 other person
Upvote 0 Downvote
JoyousBudweiser said:
I have some issues with quad 9 while using it. ( Not with doh but in general) try using nextdns or cloudflare.
Click to expand...
I actually have had issue with Quad9 in the past when I had a router with DoT. Apparently Quad9 has a very short timeout set for their encrypted servers according to Merlin on the Smallnetbuilder forums. Cloudflare has a longer timeout tolerance so it sees far fewer issues. Maybe this is the same problem and not a site comparability problem. My router uses Quad9 (unencrypted) already so I can live without DoH. But it’s nice to have.
 
  • Like
Reactions: South Park, Stopspying, [correlate] and 1 other person
Upvote 0 Downvote
SeriousHoax said:
I don't have this issue but the issue that I have is, if I enable ESNI, Firefox don't load any websites for 15-20 seconds after I open the browser. This is annoying so I toggled it off.
Click to expand...
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
 
  • Like
Reactions: Stopspying, [correlate] and SeriousHoax
Upvote 0 Downvote
blackice said:
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
Click to expand...
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
 
  • Like
Reactions: South Park, Stopspying, blackice and 1 other person
Upvote 0 Downvote
JoyousBudweiser said:
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
Click to expand...
Since my router and AV are checking the IPs being visited on my system I’m not overly concerned about DNS man in the middle. Though the scenario exists that it’s possible, I think it’s more likely that DNS poisonings are occurring. Also DNSSEC exists to help with these problems. I have run simple dnscrypt before, but I’d prefer not to add another driver running.
 
  • Like
Reactions: Stopspying and ForgottenSeer 85179
Upvote 0 Downvote

You may also like...