12-29-2019, 07:02 AM
As a recap, my latest foray into the DNS arena stems from the fact that my new ISP's blocking of port 53 (which is lame to say the least.) My response to 'that attack' was two fold DNS-functionality-wise.
First, for my system-wide DNS queries. As I'm using Bind as my LAN DNS resolver (which also manages few local zones), I've redirected all the Bind forwarding queries to quad9, Cloudflare and Google DoT's services on port 853 via STunnel [1].
Up-till-now, port 853 isn't blocked, as I suspect it will when DoT become more popular.
Second, for my browsing queries. I activated DoH on Firefox (my default routine web browser) as the OP already mentioned.
This setup works well and I don't have any DNS issue any more. Thus, I advise people to look into this from their side too (especially when an ISP wants to impose their service upon you.)
My last tips for DoH configuration on Firefox is, in addition to what I've already said in this quote:
> You can customize the DoH service providers by adding/removing it from the array set at network.trr.resolvers
> To be able to bootstrap DoH without the need to use your OS DNS resolver the first time you fire up Firefox, you need to populate the network.trr.bootstrapAddress with the IP address of the DoH server you're using.
> If you don't want to fall back on your OS DNS resolver, set network.trr.mode to 3 (meaning: Only use TRR), and in which case network.trr.bootstrapAddress must also be set.
> By default DoH in Firefox don't send your subnet to the resolver (ie, network.trr.disable-ECS is set to true.) If you want the geoDNS feature, you should disable this.
That should be all on this for now.
----------
[1]-I'll be posting my own setup on another thread for anyone else out there in my situation.
First, for my system-wide DNS queries. As I'm using Bind as my LAN DNS resolver (which also manages few local zones), I've redirected all the Bind forwarding queries to quad9, Cloudflare and Google DoT's services on port 853 via STunnel [1].
Up-till-now, port 853 isn't blocked, as I suspect it will when DoT become more popular.
Second, for my browsing queries. I activated DoH on Firefox (my default routine web browser) as the OP already mentioned.
This setup works well and I don't have any DNS issue any more. Thus, I advise people to look into this from their side too (especially when an ISP wants to impose their service upon you.)
My last tips for DoH configuration on Firefox is, in addition to what I've already said in this quote:
(11-11-2019, 03:34 PM)fChk Wrote: Now, how you can enable DoH in Firefox; 2 ways:
> about:preferences -> Network Settings -> Enable DNS over HTTPS (check)
> about:config
-> network.trr.mode (2)
-> network.trr.uri
-> network.trr.bootstrapAddress
> You can customize the DoH service providers by adding/removing it from the array set at network.trr.resolvers
> To be able to bootstrap DoH without the need to use your OS DNS resolver the first time you fire up Firefox, you need to populate the network.trr.bootstrapAddress with the IP address of the DoH server you're using.
> If you don't want to fall back on your OS DNS resolver, set network.trr.mode to 3 (meaning: Only use TRR), and in which case network.trr.bootstrapAddress must also be set.
> By default DoH in Firefox don't send your subnet to the resolver (ie, network.trr.disable-ECS is set to true.) If you want the geoDNS feature, you should disable this.
That should be all on this for now.
----------
[1]-I'll be posting my own setup on another thread for anyone else out there in my situation.