DNS over HTTPS

Question

DNS over HTTPS

paulmillr opened this issue 4 years ago · comments

Paul Miller commented 4 years ago

Big Sur allows to use encrypted DNS. This is very useful for privacy. See: https://paulmillr.com/posts/encrypted-dns/

Perhaps it would make sense to include some eDNS advice in the guide.

Baptiste C. · Answer 1 · Tue Nov 17 2020 18:23:40 GMT+0800 (China Standard Time)

Alose note, there is a bug (or a feature ?! 😒) that disable DoH/DoT when using a firewall like Little Snitch.

drduh · Answer 2 · Tue Jun 01 2021 00:48:13 GMT+0800 (China Standard Time)

The DNS section could definitely use updates. If you're using DOH/DOT, please send a PR with your recommendation.

Stéphane Moureau · Answer 3 · Tue Jun 01 2021 16:21:14 GMT+0800 (China Standard Time)

Here is a huge list of misc. DNS providers
https://kb.adguard.com/en/general/dns-providers

A simple solution is to use nextdns (link with my affiliate), it handles all, web interface to manage everything, white/Black list, logs (optional), all OS, via curl... free 300.000 requests/month
Works perfectly well, easy to white list, just check your log on the site.
I have tried a lot but the problem is always when you need something blocked, here it takes one copy/paste logs-> whitelist.
https://nextdns.io/fr?from=98ctfnjk

beerisgood · Answer 4 · Tue Jun 01 2021 16:34:00 GMT+0800 (China Standard Time)

NextDNS with OISD filter list and Quad9 are best one - in that order. Cloudflare is a lot behind at malware protection and privacy is some kind of bad.

Stéphane Moureau · Answer 5 · Tue Jun 01 2021 16:39:38 GMT+0800 (China Standard Time)

@beerisgood A lost of OISD are accessible in nextdns which is easy to handle.

Huge list of Blocking Lists:
https://oisd.nl/?p=inc

Stéphane Moureau · Answer 6 · Wed Jun 09 2021 16:04:50 GMT+0800 (China Standard Time)

Discover this with my.nextdns.io log.

— Firefox 89 seems to bypass a VPN (zenmate bought by cyberghost) for DNS Requests (to my.nextdns.io on router) if set to No-proxy or Use-system-proxy. Zenmate (very fast btw in Belgium) uses Cloudflare 1111, before it was 8888 google.

In other words, it was still using my.nextdns.io instead of zenmate dns???

It is not an exhaustive test, neither all possibilities or with different vpn. perhaps just a GUI bug.

Relaunch FF after any change in Network Prefs!!!

jotulaja1 · Answer 7 · Mon Jul 26 2021 07:36:34 GMT+0800 (China Standard Time)

if there is somebody monitoring your wifi/ethernet traffic (and you are not using a VPN/tor), they already know the IP address that you are connecting to.

Yes, your DNS may be encrypted, so they don't know initially what you are connecting to, but they will still know the end point you are connecting to.

In this case what is the point of using DOH?

Paul Miller · Answer 8 · Mon Jul 26 2021 16:30:27 GMT+0800 (China Standard Time)

@jotulaja1 that's incorrect. An attacker would only know an IP. IP is much less than domain name. Sometimes it can be like 20 domains hosted on one IP. Also IPs are rotated between servers, for example, on AWS.

Doh increases the complexity for eavesdropping. Not only they need to save the IPs to the db, they'll also need to do real-time dns scraping. That's complex and most dpi systems don't work like that.

Paul Miller · Answer 9 · Mon Jul 26 2021 16:30:45 GMT+0800 (China Standard Time)

Of course, tor/vpn is better for this regard.

drduh · Answer 10 · Mon Oct 25 2021 02:46:49 GMT+0800 (China Standard Time)

Someone on Big Sur who uses DOH, please send a PR with your recommendation.