Advice Request Firefox DoH Encrypted ESNI Issues

Please provide comments and solutions that are helpful to the author of this topic.

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
 
Last edited:

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
Is anyone else experiencing issues with sites resolving using encrypted ESNI? A few times a day I’ll run into fairly major sites that won’t resolve with encrypted ESNI turned on. I finally just turned it off on both PCs.
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I don't have any such issues. I 've been using it with nextdns as my doh provider. Which doh were you been using it with?
I've been using it with Quad9. It just happens 2-3 times a day. Just enough for me to not want to toggle it on and off.

eSNI is still a draft and not finished. Also sites need to support that
This is probably the issue. I just happened to stumble upon some sites who don't support it yet.
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
I've been using it with Quad9. It just happens 2-3 times a day. Just enough for me to not want to toggle it on and off.


This is probably the issue. I just happened to stumble upon some sites who don't support it yet.
I have some issues with quad 9 while using it. ( Not with doh but in general) try using nextdns or cloudflare.
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I have some issues with quad 9 while using it. ( Not with doh but in general) try using nextdns or cloudflare.
I actually have had issue with Quad9 in the past when I had a router with DoT. Apparently Quad9 has a very short timeout set for their encrypted servers according to Merlin on the Smallnetbuilder forums. Cloudflare has a longer timeout tolerance so it sees far fewer issues. Maybe this is the same problem and not a site comparability problem. My router uses Quad9 (unencrypted) already so I can live without DoH. But it’s nice to have.
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I don't have this issue but the issue that I have is, if I enable ESNI, Firefox don't load any websites for 15-20 seconds after I open the browser. This is annoying so I toggled it off.
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
This is probably why it is in about:config. I may just turn DoH off until it's implemented in W10. I don't feel like I'm gaining a whole lot (especially without ESNI) and if I do not want to share things with my ISP I can always use a VPN.
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
It's not about hiding your port 53 traffic from ISP but doh or dns over TLS reduce the chances of man in the middle dns spoof attack as the requests are encrypted, which is important. Oh and you don't need to wait for windows 10 implementation. You can either use yogadns/ simple dnscrypt to implement system wide doh. If you want to use dns over TLS you can use unbound for windows.
Since my router and AV are checking the IPs being visited on my system I’m not overly concerned about DNS man in the middle. Though the scenario exists that it’s possible, I think it’s more likely that DNS poisonings are occurring. Also DNSSEC exists to help with these problems. I have run simple dnscrypt before, but I’d prefer not to add another driver running.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top