As I understand it, "bootstrapAddress" is the initial DNS server to which the request goes to get the IP of the DNS server with DOH support, so I left here Cloudflare IP to connect to NextDNS as quickly as possible.
How is this possible? I thought that DOH is encrypted using public and private keys and mitm attacks with it are almost impossible.
It seems to me that you are writing about a classic VPN application, but I do not use a VPN at the operating system level, as this slows down a lot of my network applications due to poor Internet and unstable ping, at least for Windcribe servers, so I prefer the extension in the browser. All browser extensions are always just a proxy server. usually such extensions change DNS to their own to improve masking and protect against leaks, but i try to force not alow to do this through the Firefox settings and continue using NextDNS, sometimes it works and sometimes it doesn't, why sometimes it doesn't i can't understand.
Thanks for your reply!
Hello
@Trismer
Yap the Bootstrap should still go to NextDNS not Cloudflare for the initial connection
Now to the tricky bit I admit with the extension bit that Browser Extensions use Proxy to forward traffic. Now to more tricky bit - If you have Leak issues on Windows try this out plz ->
Guide: Prevent DNS leakage while using a VPN on Windows 10 (and Windows 8) - Neowin
This comes from an article at Checkpoint-Checkmates ->
DNS Security - Check Point CheckMates <- I know it refers to Cloudflare but just to understand why leaking is bad.
(For sure you already know)
Now to break down extensions - I do not know how Firefox Extensions function but if it is any similar to Chrome/Chromium you can look at the code inside.
As an example I use Edge Chromium:
What you need:
- Extension ID (Tip use Developer Mode)
- Export Extension to File
What you can do with it:
- View Code inside
I did that for the SandBlast Checkpoint extension to troubleshoot URL-Filtering and Cloud-connectivity - As for the Windscribe extension you can view if there is a setting that commits the changes every now and then.
For Windscribe the AppID on the ChromeStore is: hnmpcagpplmpfojmgmnngilcnanddlhb
Export it to file and then you can see what it does and how it does it.
In terms of logic - Proxy Settings overrule local settings
But there is a Proxy Bypass mode too...
I just know this form a System Local or Edge Chromium use case "not Firefox"! The reason is simple I do not use it even in professional Administration. (Personal Preference)
->
Setting a proxy for Windows using the command-line - AndyK Docs <- This works with the Legacy Internet Explorer / Windows Services / Edge Chromium --- Untested with Firefox
In terms of DNS over HTTPs it depends who the requester is on how the request is made even a uplink server can make a DoH request for you. But still you are right if your Browser does a DoH request for a Domain to NextDNS this should be encrypted. (View Logs if so from your Client)
In my use case I use a DoH client at the Router level that listens at Port 53 and forwards those to NextDNS with the NextDNS DoH Client installed and my ID. So my clients only know of a local DNS server never the public one - plus a DNAT rule that forwards all rogue DNS query's that are not my Routers IP - to that IP and presto everything has to go thru. Of course I still need to block DoH/DoT services there is a good list out there:
dns.google
dns.quad9.net, dns9.quad9.net, dns10.quad9.net, dns11.quad9.net
dns.cloudflare.com
doh.dns.sb
dns.nextdns.io
dns.cleanbrowsing.org
doh.securedns.eu
Source ->
DNS over HTTPS (DoH) for web security (sophos.com)
But the principals still remain.
Best regards
Val.
