Correlate

Level 10
Malware Tester
You can now enable support for the privacy-focused DNS-over-HTTPS (DoH) protocol in Google Chrome using a command-line argument.

The procedure is complicated, but this step-by-step guide can help users set up DoH support in Chrome, and make sure it's up and running correctly.
WHAT IS DNS-OVER-HTTPS AND HOW DOES IT WORK?
DNS-over-HTTPS is a relatively new web protocol, being around for only two years.

It works just like the original DNS protocol, meaning its main purpose is to take a domain name (e.g. zdnet.com) that a user types in a browser and send a query to a DNS server to learn the numerical IP address of the web server that hosts that website.

But while the classic DNS protocol makes this request in plaintext, for everyone to see, DoH packages its DNS queries as encrypted HTTPS traffic.

The primary benefit of DoH is that the protocol hides DNS requests and responses in the giant stream of HTTPS traffic that moves across the internet each second. This means third-party observers can't look at DNS requests to guess what a user might be trying to access.
 

DeepWeb

Level 25
Verified
People say that the whole encrypted SNI thing is something only Cloudflare is pushing to get control over and that we should oppose. Too bad there is no way to add this on Chrome OS unless you go into full Developer Mode and compromise your security. :/ Waiting for the flag.
 

Nightwalker

Level 18
Verified
Trusted
Content Creator
Do you often get this error with ESNI enabled on some sites? For me this happens on Malwaretips and some other websites. I can visit the sites after clicking Try Again.
View attachment 224181
Are you using a third party antivirus solution that scans SSL connections? I had this kind of error with Kaspersky when SNI encryption was enabled.
 

SeriousHoax

Level 18
Verified
Malware Tester
Never seen this error before. I would say something is messing with the handshake. Or did you remove/disable any certificates? What DNS are you using?
No, did nothing with certificates. Seems to happen on most sites that are depended on Cloudflare but then again not for every sites only a few. I'm using Next DNS on my router which is also set on Firefox as DoH. Changing DoH of Firefox to something else doesn't fix it either. Once I click Try again I can freely visit the site without any problem.
 

SeriousHoax

Level 18
Verified
Malware Tester
Yeah, the only service I got to work properly with DoT without having timeouts causing failures was Cloudflare. I don't think that Merlin had put NextDNS in his firmware at that point, but I tested all the ones he did. I don't know if DoH has the same issues or not, but it seems like the trouble I was running into.
This happens only on Firefox with ESNI enabled. So my particular problem is maybe Firefox related. But not everyone is having this issue so it's confusing.
 

DeepWeb

Level 25
Verified
No, did nothing with certificates. Seems to happen on most sites that are depended on Cloudflare but then again not for every sites only a few. I'm using Next DNS on my router which is also set on Firefox as DoH. Changing DoH of Firefox to something else doesn't fix it either. Once I click Try again I can freely visit the site without any problem.
Maaaaan. nextDNS has been buggy as heck for me lol. But good luck with everything.
 

Burrito

Level 22
Verified
Interesting topic @Correlate.

The primary benefit of DoH is that the protocol hides DNS requests and responses in the giant stream of HTTPS traffic that moves across the internet each second. This means third-party observers can't look at DNS requests to guess what a user might be trying to access.
I like it. But I'm not willing to do too much to get it... it would just be a nice-to-have.

As @DeepWeb stated... I'll wait for the flag... or other easy-peasy way to implement it.