Advice Request is Edge leaking DNS?

[porkpiehat]

ok, I have DoH, and Quad9 selected in Edge settings, now, when I test my DNS with Web-based DNS Randomness Test | DNS-OARC it shows the Quad9 servers, and my ISP servers..... I have run this test with my other browsers, which are setup with similar configs, and they return results from their chosen DNS, with no sign of any ISP. I can only assume that the problem is with Edge... is there something that needs tweaking to solve this?

 

[silversurfer]

@porkpiehat Please try this check for DNS leaks: DNS Leak Test

Here on my device and running Edge, this test above shows only DNS servers by Quad9

On your Edge, settings for DoH are the same than on my screenshot below ?

 

[porkpiehat]

@porkpiehat Please try this check for DNS leaks: DNS Leak Test

Here on my device and running Edge, this test above shows only DNS servers by Quad9

On your Edge, settings for DoH are the same than on my screenshot below ?

View attachment 253141

yes, configured the same.... browserleaks shows my ISP as my IP and Quad9 as my DNS

 

[silversurfer]

yes, configured the same.... browserleaks shows my ISP as my IP and Quad9 as my DNS

Really odd but I have to mention that my DNS is always configured on router level, so might be that is the difference to your setup...

 

[Amahl Farouk]

@porkpiehat It's by design. By default, the DoH implementation has failover.

There's group policy that you need to set up with the Edge .adm download from Edge for Business website.
Once installed the group policy file you can set it to "DoH without failover" and it will be forced to use only DoH.

It considers a "fail" certain query times, so it uses system DNS instead of DoH exclusively...good UX poor privacy, I guess.

 

[silversurfer]

It's by design. By default, the DoH implementation has failover.

There's group policy that you need to set up with the Edge .adm download from Edge for Business website.
Once installed the group policy file you can set it to "DoH without failover" and it will be forced to use only DoH.

It considers a "fail" certain query times, so it uses system DNS instead of DoH exclusively...good UX poor privacy, I guess.

1st: For me DoH works properly without DNS leaks on all my browsers, the same for Edge
2nd: Me and other Windows 10 Home users: access to group policy isn't a part of the OS
3rd: You should "quote" the OP @porkpiehat instead of me as I'm fine as said at 1st above

 

[Amahl Farouk]

1st: For me DoH works properly without DNS leaks on all my browsers, the same for Edge
2nd: Me and other Windows 10 Home users: access to group policy isn't a part of the OS
3rd: You should "quote" the OP @porkpiehat instead of me as I'm fine as said at 1st above

Yeah, I misquoted and fixed it afterwards. Sorry about that.

 

[porkpiehat]

TBH, I don't think the problem is the browser... the DNS Randomness test appears to test both the system (network) DNS, and the browser based DNS... so, if your network is running Cloudflare, and your browser is set for DoH Quad9.... the test will show results for both....

 

[Amahl Farouk]

TBH, I don't think the problem is the browser... the DNS Randomness test appears to test both the system (network) DNS, and the browser based DNS... so, if your network is running Cloudflare, and your browser is set for DoH Quad9.... the test will show results for both....

As I've explained, it's by design. I had the same problem with Edge's implementation of DoH and it was solved using the "DoH without failover" group policy. If you don't have Windows 10 Professional, I don't think there's another option but to use a system-level DoH setup.

 

[porkpiehat]

As I've explained, it's by design. I had the same problem with Edge's implementation of DoH and it was solved using the "DoH without failover" group policy. If you don't have Windows 10 Professional, I don't think there's another option but to use a system-level DoH setup.

that may be so, but it also happens with Opera, and Firefox.. so, I guess you need to make sure that you have a trusted DNS setup in your network prefs, to avoid your ISP DNS.

 

[Brahman]

ok, I have DoH, and Quad9 selected in Edge settings, now, when I test my DNS with Web-based DNS Randomness Test | DNS-OARC it shows the Quad9 servers, and my ISP servers..... I have run this test with my other browsers, which are setup with similar configs, and they return results from their chosen DNS, with no sign of any ISP. I can only assume that the problem is with Edge... is there something that needs tweaking to solve this?

If you want to prevent dns leaks I suggest you to use DOH at the router level ( ddwrt, openwrt, routeros, pfsense, opnsense, edgeos etc support doh). That's the only way you can make sure all the port 53, port5353 traffic is being rerouted through port 443.

 

[porkpiehat]

If you want to prevent dns leaks I suggest you to use DOH at the router level ( ddwrt, openwrt, routeros, pfsense, opnsense, edgeos etc support doh). That's the only way you can make sure all the port 53, port5353 traffic is being rerouted through port 443.

true, but my router is 'fixed' by my ISP... so, I can't adjust the settings.

 

[ForgottenSeer 85179]

true, but my router is 'fixed' by my ISP... so, I can't adjust the settings.

You can change that. Buy your own
This also solves problem with modified router and bad support

 

[ForgottenSeer 78429]

true, but my router is 'fixed' by my ISP... so, I can't adjust the settings.

You should try YogaDNS or Simple DNSCrypt to set DoH/DNSCrypt on your system. If you want to use DoT or DoQ, for now only AdGuard Home support these two I think. YogaDNS solved DNS leak problem for me.

 

[TairikuOkami]

19043 (21H1) Enablement Package is almost out, that means DoH for System as well.