
A guide to set up your own round-robin DNS-over-HTTPS proxy for privacy - jkingsman
https://dohproxy.com/
======
mike-cardwell
This setup does the opposite of what they're hoping to do, and is the exact
reason that Tor implemented "Entry Guards".

If there is any pattern in the DNS queries you perform (e.g you visit certain
sites regularly), then all of a sudden there are now going to be four
additional organisations that know your browsing habbits, on top of your
existing one (your ISP).

Imagine you go to pornhub.com every day. Your ISP knows that you're doing that
today because of your DNS lookups, and they will still know that after the
deployment of DOH and ESNI, because like millions of other websites, pornhub
doesn't share their IP addresses. But now all of a sudden, you'll be telling
cloudflare one day that you go to pornhub, google the next day, opendns the
next day, and 42l the next day.

Why do people insist on increasing the number of organisations with access to
their browsing history, in the name of privacy?

Don't set up or use this system.

~~~
lolc
I agree that there is little gain in hiding DNS traffic from your ISP. And
like you I'm wondering what the benefit of spreading around one's DNS profile
should be. I think it's better to just pick the DNS provider one distrusts the
least.

But once you use DoH using a private DNS proxy does in fact provide (some)
protection because it detaches one's client address from the requests.
Breaking this requires timing correlation or individual domain names for
tracking.

~~~
mike-cardwell
Why set up a private DNS proxy when you can (arguable more easily) set up a
private VPN, which protects _all_ of your traffic instead? A quick "apt
install unbound" on the VPN server will give you a private recursive DNS
resolver which supports DNSSEC, and you'll be communicating with that over the
VPN, so DoH gives you nothing...

~~~
t0astbread
When you set up a private VPN to tunnel your traffic through, doesn't your VPN
server just become your client? Or am I missing something here?

~~~
mike-cardwell
It does yes. And I think you must be missing something yes.

~~~
t0astbread
So, what is the benefit of a private tunnel that maps uniquely to you?

Addendum: If it's about distrusting your ISP you gotta consider that you're
just moving trust to another ISP or service provider (or worst case both, if
they're separate entities).

~~~
mike-cardwell
You should take my response in context to the preceeding conversation.

When somebody says that using a VPN would be better. You need to consider what
they are saying it is better than.

------
mercora
I think if you go for privacy it is best to resolve queries recursively. You
can do QNAME minimization with unbound for example and whatever network you
are trying to reach will likely see your address anyways some way or another.
I mean i for one am more worried about a centralized service like offered by
cloudflare then i am worried that individual nameservers tracking me. And if
you are worried about people being able to sniff on your traffic protecting
only dns from that wont help you much.

------
andyjohnson0
Today's Guardian has a piece [1] on Firefox's DNS over HTTP and how Mozilla
has no plans yet to make it the default in the UK. Most of the article is
about how it breaks centralised web filtering, and has concerned-sounding
quotes from child protection organisations. Probably a predictable slant for a
general readership publication to take, but it is concerning that use of DoH
might be being framed solely as enabling criminality. As someone who lives in
the UK and who enabled it several months ago for privacy (anti-tracking)
reasons, I'm going to have to keep an eye on this.

[1]
[https://www.theguardian.com/technology/2019/sep/24/firefox-n...](https://www.theguardian.com/technology/2019/sep/24/firefox-
no-uk-plans-to-make-encrypted-browser-tool-its-default)

~~~
t0astbread
Couldn't the UK just work together with popular DoH providers to implement
filtering in a clean way?

~~~
andyjohnson0
I'd be ok with that. The problem would be the emergence of unscrupulous DoH
providers.

Presumably the fear is that having DoH built into the browser lowers the bar
to entry for people who want to use it as part of engaging in criminality.

~~~
t0astbread
DoH compared to plain old DNS is about as much as a crime-enabler as HTTPS
compared to HTTP (probably even less)

~~~
andyjohnson0
I was referring to people accessing illegal material, with DoH being used to
bypass ISP-level content filtering.

------
madisfun
Round-robin and privacy do not dwell well together. Like mike-cardwell pointed
out in another comment, it just distributes the same information to more
parties.

As there has to be at least party which will know the request, some
information will be leaked. But what can be prevented, is giving "unrelated"
requests in the hands of the same resolver. Few of the request per se are
interesting, the combinations of them allow to build user profiles.

The policy should not be round robin, but somehow based on the domain itself,
so that all requests about the same domain go to the same resolver, but to
nobody else.

An even better mechanism would take into account who is the owner and the
controller of the domain. So that requests about, let say, facebook.com and
fbsbx.com land at the same resolver, but github.com and microsoft.com by
another.

~~~
mercora
this is more or less what happens if you have an recursive resolver. in most
cases your queries will be seen by the same network that will see your traffic
afterwards anyways. only the TLD nameservers will somewhat occasionally
depending on the TTL know which network you are about to enter and they are
arguably more trustworthy. I think about this way: i already trust whichever
infrastructure provider my endpoint uses and the choice of nameservers is an
extension to that.

------
devwastaken
I thought that regardless of dns provider, you can't stop the ip destination.
No doubt there's real-time recording of what domain points to what ip. It's
harder for your local syaadmin probably, but not much further.

~~~
userbinator
Indeed, that and SNI[1] make this whole DoH thing pretty pointless for privacy
IMHO --- if you are seriously concerned about your ISP monitoring your
traffic, tunnel everything through a VPN that exits into the Internet
somewhere else. It seems more like an effort to frustrate host-based
adblocking more than anything.

[1] Looking at SNI is even more accurate, since DNS lookups don't necessarily
(but often) mean a connection to that host will be made; a TLS handshake, on
the other hand, means a connection _is_ being made.

~~~
jchw
Encrypted SNI exists.

[https://blog.cloudflare.com/encrypted-
sni/](https://blog.cloudflare.com/encrypted-sni/)

I doubt DoH is a ploy to break adblocking; if you don’t control the device
making the requests they could already do plenty of things to break crude
adblocking techniques like that. (Nevermind the fact that one of its biggest
supporters is Mozilla.)

Stating that this is pointless for privacy seems like an exaggeration. Sure
its not a panacea, but for probably 80% of sites, the destination IP tells you
you are headed to Amazon or Cloudflare. Besides that, why reveal more
information than less, and why not remove unencrypted, easily manipulated
network traffic? Personally, I aim to eliminate unencrypted traffic on my
networks.

~~~
comex
Yep. Encrypted SNI is still a work-in-progress in terms of browser support –
like DoH itself – but they’re both being pushed by Cloudflare, and intended to
complement each other. No conspiracy theory needed to explain the motivation.

Edit: And Cloudflare‘s own service mitigates the use of IP addresses to
identify sites, since (AFAIK) all Cloudflare-wrapped sites are accessed via
the same IP. Of course, this is only an improvement if you trust Cloudflare.

------
kylek
I thought this was someone else providing an anonymized dns proxy at first,
but it's just how to set up your own proxy. Not sure this saves anything over
just using DoH to one of the listed providers directly (the requests still
come from something you own and can technically be traced back to you, albeit
with more effort?)

edit: I'm wondering what the ideal setup actually is. Would the root servers
need to provide DoH endpoints?

~~~
jkingsman
The "more effort" part was what I was going for -- no nation state or warrant-
holding organization is going to be stymied by this, but as a personal/home
user, I'd rather DoH resolvers not be able to tie my lookups to my personal IP
which is doubtless held in many other cross-referencable locations (in my
case, home-network wide proxying or Tor isn't feasible).

~~~
Ajedi32
I wonder if it'd be feasible to proxy _only_ the DNS requests over Tor. Maybe
set up your network-level DNS proxy to route upstream queries through a Tor
tunnel to a different DNS-over-HTTPS resolver. Perhaps even have the DNS proxy
cache DNS records and proactively revalidate commonly used ones to avoid most
of the latency overhead of Tor.

~~~
ignoramous
Unbound does prefetch [0]. Not sure abt the tor split tunnel, but is easy to
setup one over WireGuard.

[0]
[https://en.m.wikipedia.org/wiki/Unbound_(DNS_server)#Feature...](https://en.m.wikipedia.org/wiki/Unbound_\(DNS_server\)#Features)

------
hlieberman
A quick bug report: you do not need to set up renewals in cron. In the certbot
ppa (and Debian, and thus Ubuntu), they're automatically set up for you at the
time of install using both cron and systemd timers.

~~~
jkingsman
Noted, and thank you for the PR! The instructions have been updated

------
floatingatoll
The privacy noted here appears to essentially boil down to “from Cloudflare”
right now, and comes at the risk of leaking DNS queries to other third-parties
who are often more inclined to act maliciously towards your privacy and are
not committed against doing so.

Be sure that you trust your “over the wire” connection to not sniff and
uniquely tag all of your DNS requests with your specific identifying
information, such as Verizon and many other service provides often do.

~~~
goatsi
You only get privacy from Cloudflare 3/4 of the time, as their resolver is one
of the four requests are proxied to.

~~~
jkingsman
The idea is that resolvers just know it's coming from the EC2 instance/etc
rather than knowing your personal IP.

~~~
gog
They know the personal IP as well since it's being passed in the "X-Forwarded-
For" header by nginx.

Having a local recursive resolver with the Client Subnet in DNS Queries turned
off would be better for privacy.

------
shreyasonline
DoH and DoT are not really providing privacy unless ESNI is fully developed
and deployed by most websites. DoT and DoH do provide security since with
plain old DNS, literally anyone in your network path can spoof responses.

Round robin providers is really bad idea. Its like leaving your foot print in
literally all places.

Best is to use Tor Browser if you really need privacy.

------
klysm
Can’t wait to get me RRDNSOHTTPS going

