arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Heads-Up: Firefox rolling DNS-over-HTTPS (DoH)
#1
DNS-over-HTTPS (DoH) protocol improves security, performance and users privacy by letting people chose the name-server they want. In fact, DoH hides DNS queries inside regular HTTPS traffic thus any third-party 'sniffer' won't be able to see the DNS queries users are running thus inferring what websites they are about to visit; hence the security and privacy aspect of it.

Firefox had (in 2017) the brilliant idea to start implementing it natively and with version 70, the feature is fully functional but still not enabled by default (read this article for more: What’s next in making Encrypted DNS-over-HTTPS the Default).

>> A little personal note on this:
I recently changed my ISP to an "underdog" company which happens to have a good 4G-LTE coverage in the different areas where I need it. But to my dismay, I've found that they are filtering out port 53 in such a way that any DNS query to any external nameserver (except theirs of course) is blocked!!!..

I'm aware that there are 2/3 ways to circumvent this, using a VPN, SSH-tunneling, port-forwarding... and DNS-over-HTTPS.

But When I learned about Firefox shipping DoH, I immediately enabled it thus improving the latency/performance (my new ISP DNS server is really that crappy), the Web browsing privacy ISP-wise (letting Cloudflare build that profile instead, for now. )

Now, how you can enable DoH in Firefox; 2 ways:

> about:preferences  -> Network Settings -> Enable DNS over HTTPS (check)
> about:config
                    -> network.trr.mode (2)
                    -> network.trr.uri
                    -> network.trr.bootstrapAddress

See the Mozilla blog article for more on those settings or just see here.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#2
on android, you can use bromite browser and it has full support for this DNS over HTTPS. actually bromite might be the most secure browser right now on android platform. you can also configure to use it as webview platform all over your android system. step are given on their site at bromite.org

on pc, i use ungoogled chromium.

firefox is good and i have it installed and updated too. i especially use it to view source on android. pretty often actually.
Sincere Thanks to VirMach for my VPS9. Also many thanks to Shadow Hosting and cubedata for the experiences I had with their VPSs.
#3
(11-12-2019, 07:45 PM)rudra Wrote: on android, you can use bromite browser and it has full support for this DNS over HTTPS. actually bromite might be the most secure browser right now on android platform. you can also configure to use it as webview platform all over your android system. step are given on their site at bromite.org

I don't browse the Web on smartphones (I'm a bit old-fashioned in that regard), but it's nice to know that Chromium has a security-minded port on Android systems, called Bromite.


(11-12-2019, 07:45 PM)rudra Wrote: on pc, i use ungoogled chromium.

firefox is good and i have it installed and updated too. i especially use it to view source on android. pretty often actually.

I'm a die hard Firefox supporter and advocate, but I generally have Chromium on my systems for Web development purposes (for code review/debugging), and which, just checked, is also in the race of shipping DoH ASAP: see Experimenting with same-provider DNS-over-HTTPS upgrade.

On the other hand, I wasn't aware of the Ungoogled-Chromium project. I've always treated Google's Chrome as a self-inflicted malware (Sorry Google!), that's why I've always used Chromium (which is -for those who don't know- Chrome minus the proprietary codebase, essentially all that make Chrome a spyware.) But this Ungoogled-Chromium looks even more interesting by decoupling Chromium of its residual Google web services dependency.

Nice find @rudra! and thanks for your input.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#4
(11-11-2019, 03:34 PM)fChk Wrote: (...)
>> A little personal note on this:
I recently changed my ISP to an "underdog" company which happens to have a good 4G-LTE coverage in the different areas where I need it. But to my dismay, I've found that they are filtering out port 53 in such a way that any DNS query to any external nameserver (except theirs of course) is blocked!!!..

I'm aware that there are 2/3 ways to circumvent this, using a VPN, SSH-tunneling, port-forwarding... and DNS-over-HTTPS.

But When I learned about Firefox shipping DoH, I immediately enabled it thus improving the latency/performance (my new ISP DNS server is really that crappy), the Web browsing privacy ISP-wise (letting Cloudflare build that profile instead, for now. )

(...)

I've always been wary of the industrial-scale of users tracking going on on the Internet in general, and the Web in particular. It's simply consternating. Any time privacy-advocates fight back, they are faced by a barrage of corporate harassment if not by legal suits.

I still remember the fight over the end-to-end encryption that took place few years ago between US security agencies and the BigTech industries supported by the ACLU (American Civil Liberties Union.) Reasonably strong TLS encryption made its way to the web, and was widely promoted by Google to get lazy web masters to implement it on their web sites to the point that nowadays plain text web sites are in the minority, where it matters.

These days, it seems, the fight is still on... The good news is that we are winning the technology side of it (I'll write on this point on another thread...) For the political side, things are still shaky. I've had this thought when I was reading this article from @arstechnica: ISPs lobby against DNS encryption, but Mozilla tells Congress not to trust them.

It would seem that the ISPs don't like DoH, at all (who's surprised?)... This is the famous 'Going Dark' in it's 2.0 iteration.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#5
As a recap, my latest foray into the DNS arena stems from the fact that my new ISP's blocking of port 53 (which is lame to say the least.) My response to 'that attack' was two fold DNS-functionality-wise.

First, for my system-wide DNS queries. As I'm using Bind as my LAN DNS resolver (which also manages few local zones), I've redirected all the Bind forwarding queries to quad9, Cloudflare and Google DoT's services on port 853 via STunnel [1].

Up-till-now, port 853 isn't blocked, as I suspect it will when DoT become more popular.

Second, for my browsing queries. I activated DoH on Firefox (my default routine web browser) as the OP already mentioned.

This setup works well and I don't have any DNS issue any more. Thus, I advise people to look into this from their side too (especially when an ISP wants to impose their service upon you.)

My last tips for DoH configuration on Firefox is, in addition to what I've already said in this quote:
(11-11-2019, 03:34 PM)fChk Wrote: Now, how you can enable DoH in Firefox; 2 ways:

> about:preferences  -> Network Settings -> Enable DNS over HTTPS (check)
> about:config
                    -> network.trr.mode (2)
                    -> network.trr.uri
                    -> network.trr.bootstrapAddress

> You can customize the DoH service providers by adding/removing it from the array set at network.trr.resolvers
> To be able to bootstrap DoH without the need to use your OS DNS resolver the first time you fire up Firefox, you need to populate the network.trr.bootstrapAddress with the IP address of the DoH server you're using.
> If you don't want to fall back on your OS DNS resolver, set network.trr.mode to 3 (meaning: Only use TRR), and in which case network.trr.bootstrapAddress must also be set.
> By default DoH in Firefox don't send your subnet to the resolver (ie, network.trr.disable-ECS is set to true.) If you want the geoDNS feature, you should disable this.

That should be all on this for now.


----------
[1]-I'll be posting my own setup on another thread for anyone else out there in my situation.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#6
firefox DoH works much better than the 1.1.1.1 apps on android or running cloudflared client on linux

i used 1.1.1.1 and cloudflared before and first it able to unblock a site that is blocked by my isp
but after some time it started to not doing that anymore . it is still blocked

recently i tried to configure my firefox proxy setting and i found out the new doh setting . i tried it and it worked really great . the site get unblocked again and i can use it full speed
Terminal
humanpuff69@FPAX:~$ Thanks To Shadow Hosting And Post4VPS for VPS 5


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post

person_pin_circle Users browsing this thread: 3 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting