
Getting Started with DNS over HTTPS on Firefox - nykolasz
https://medium.com/@nykolas.z/getting-started-with-dns-over-https-on-firefox-e9b5fc865a43
======
Communitivity
I'm interested to see how the implementation performs in practice, but I don't
see DNS over HTTPS as better than some of the other solutions out there. Some
have been around for a while and are well-tried but failed to gain wide
adoption, like DNSSEC. Others are new kids, unproven but with lots of promise
on paper, like IPFS service discovery.

In no particular order, here are some alternative technologies. As always YMMV
and the proof is not just in the technical implementation of the protocol, but
also the policies and politics around the adoption. A good chunk of them
overlap DNS's goals in what they aim to do, but only partially.

* DNSSEC - [https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-...](https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en)

Various Distributed Hash Table (DHT) based approaches:

* IPNS - [https://medium.com/@yaniv_g/hosting-websites-on-ipfs-with-ip...](https://medium.com/@yaniv_g/hosting-websites-on-ipfs-with-ipns-b94659c42b52)

* Telehash - [http://telehash.org/](http://telehash.org/)

Various cryptocurrency approaches:

* Namecoin - [https://bit.namecoin.org/](https://bit.namecoin.org/)

* DomainToken - [http://www.domaintoken.io/](http://www.domaintoken.io/)

* Steemit - [https://steemit.com/](https://steemit.com/)

If you know of others, please comment with the name and a link.

~~~
DrPhish
Over the past year or so I've done a complete re-evaluation of my home network
and online activity with an eye to privacy and safety, after having the
epiphany that the cloud is just a fancy term for other people's computers. Why
would I trust my modest compute needs and most personal data to someone else
in this age of cheap hardware and virtualization?

To concentrate purely on the DNS side, I set about re-engineering things for
privacy, safety and speed (in that order). I'll only address my local
resolver, and not the DNS I'm serving to the world at large for my personal
domains.

I run Palo-Alto's free minemeld server in order to get realtime threat lists.
Any medium or higher threat level domains are fed to:

an unbound caching resolver on my OpenBSD edge firewalls. These threat domains
(along with adware domains from someonewhocares) are blackholed to 0.0.0.0.
Any queries that are not in the cache are forwarded to:

a BIND 9 server on a VM that has no direct access to the internet or the rest
of my LAN. It will either answer authoritative queries for my internal LAN or
forward queries that require an external authoritative answer to:

Six DNSCrypt proxies in a round-robin scheme. Each proxy was chosen because it
(claims it) doesn't log, and will also pass back DNSSEC failures. OpenDNS
doesn't!

Notes :

My BIND server verifies DNSSEC. I also have a bunch of known-good/bad DNSSEC
domains that my Nagios server checks constantly, verifying that DNSSEC is
succeeding/failing as expected. I also have DNSSEC/TLSA/DANE for all my
domains and services. Thank you letencrypt!

My OpenBSD pf firewall forces ALL DNS queries to my unbound resolvers, so
regardless of what server an internal client attempts to use, it ends up going
thru all my security and privacy apparatus. Malware is unable to use it's own
DNS servers to bypass my blackholing.

I have not gone the extra step of using TOR. Although this seems like it would
improve my privacy, I can't shake the feeling its an NSA honeypot and does
more to mark you as a target of interest than it does to protect you.

One feature I would like, which I have found impossible to implement on my own
is fresh DNS cooldown, to prevent brand-new domains from resolving for x
number or hours. I like the idea that malware using dynamically generated
domains could be thwarted with this, but there isn't any central
list/mechanism to figure this out. whois info is too unreliable and
unstructured.

~~~
mike-cardwell
SpamEatingMonkey offers a set of RBLs allowing you to look up domains which
have been registered in the last N days with a simple DNS query (where N is
one of 5, 10, 15 or 30)

[https://spameatingmonkey.com/services](https://spameatingmonkey.com/services)

I've not used this myself, so I'm not recommending it. I only know that it
exists.

~~~
DrPhish
Thanks! I'll check it out, but it looks like there isn't a downloadable list,
and inserting an extra DNS lookup as a check in my caching/resolving
infrastructure isn't something I have been able to figure out how to do. Looks
pretty sweet as part of an anti-spam filter tho!

Edit: I've emailed them asking about the possiblity

------
krylon
This is probably kind of a dumb question, but can I run my own DoH server? If
so, where can I find a tutorial?

~~~
jedisct1
Install rust-doh: [https://github.com/jedisct1/rust-
doh](https://github.com/jedisct1/rust-doh)

There are also tutorials on how to set up your own DNSCrypt server:
[https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-
setup...](https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup-your-
own-DNSCrypt-server-in-less-than-10-minutes)

~~~
krylon
Thank you!

------
jacob019
So is this where we are going, application level dns implementations?

~~~
MaxBarraclough
Seems the sensible place to start, no? We're a long way off secure DNS from
the OS.

~~~
lnx01
As part of releasing 1.1.1.1, Cloudflare implemented DNS-Over-HTTPS proxy
functionality in to one of their tools: cloudflared, also known as argo-
tunnel. You can install it and configure the OS to do lookups agains
cloudflared on localhost instead of some outside DNS server.

------
e12e
> GET
> [https://dns.google.com/experimental?ct&dns=AAABAAABAAAAAAAAB...](https://dns.google.com/experimental?ct&dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAACAAE)
> HTTP/2.0”

I guess the stuff in the dns=bit is a query to look up the ip of
dns.google.com? ;)

I'm not sure if I think trusting certs for ip addresses (as opposed to domain
names) is a great idea. And how else would this bootstrap?

------
js2
I installed doh-client from [https://github.com/m13253/dns-over-
https](https://github.com/m13253/dns-over-https) onto my EdgeOS router, then
pointed dnsmasq at doh-client and, well, it works and I have nothing else
exciting to report. One less thing for AT&T to snoop.

------
akerro
Can I use it with OpenNIC resolvers? [https://github.com/DNSCrypt/dnscrypt-
resolvers/blob/master/v...](https://github.com/DNSCrypt/dnscrypt-
resolvers/blob/master/v2/public-resolvers.md)

------
MaxBarraclough
See also this article by a Mozillian

[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-
ove...](https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/)

------
ilovetux
What is the point of using DNS over HTTPS if you use google's DoH server?

~~~
pwned1
Preventing your ISP from logging your DNS queries?

~~~
ilovetux
Well I suppose that this is a concern, and with recent regulatory roll-backs
even more so today. I'm creeped out now...

------
mderazon
I have enabled DNS over https on Android P (it has built in system wide
cpapbility) with Cloudflare.

Problem is that I have no idea how to test if it is really working :-)

~~~
jedisct1
Go to [https://cloudflare-dns.com/help/](https://cloudflare-dns.com/help/)

~~~
mderazon
Nice ! Didn't know about that.

For a reference, this is what I get when I set my dns as
1dot1dot1dot1.cloudflare-dns.com on Android P:

[https://cloudflare-
dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3Q...](https://cloudflare-
dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiWlJIIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9)

------
forcer
Google does no evil. Yep :)

------
XparentX
Many of us that use local DNS (pi-hole and similar technology), this is not an
option. On the other hand, I feel more secure with my local ISP than with mega
ad-corporation like Google.

I think that DNS over HTTPS is loved by the ad-community. No local DNS that
can disturb or block user generated data. Don’t get fooled people.

#DeleteGoogle

~~~
ac29
There's no reason you can't use DNS over HTTPS and pi-hole, just use dnscrypt-
proxy, and point your pi-hole at that: [https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy)

~~~
XparentX
Thanks for tip! Will look into it.

