Why not use DNS over HTTPS (DoH)?
www.bsdhowto.chBSD How To
#dnsoverhttps
0 posts0 participants0 posts today
Continued thread
Bruh I'm still so confused about this - can any #networking people or anyone with #PiHole/#Pi-hole experience chime in and tell if my goal is privacy, and if I were to prioritise one, it'd be better privacy against my ISP, what should I use on my Pi-hole DNS server?
- #Unbound as a recursive DNS server
- Enable #DNS-Over-TLS (#DoT) using Unbound and upstream DNS provider set to something like #Cloudflare
- or Enable #DNS-Over-HTTPS (#DoH) using #Cloudflared
I initially thought you could have Pi-hole be all three but I don't think so, no?
If any unethical network operator (or government) can disable DoH on clients with a simple DNS flag, then what problem does DoH solve?
It stops you from blocking ads on the DNS level. That's all it was ever supposed to solve.
Disable DoH. Reject DoH.
I wrote a very basic #Ansible playbook to help people set up #PiHole with #DNSOverHTTPS (#DoH) directly installed on a Debian-based host (Raspberry Pi or small VM). It's available on my GitHub repo. I hope you find it useful! #HomeLab #SelfHosted
https://github.com/badnetmask/miscelaneous/tree/main/ansible/pihole-doh
GitHubmiscelaneous/ansible/pihole-doh at main · badnetmask/miscelaneousMiscellaneous scripts for various uses. Contribute to badnetmask/miscelaneous development by creating an account on GitHub.
Continued thread
Bref, Mozilla a activé #EncryptedClientHello dans #Firefox 118 , mais uniquement s'il est configuré pour utiliser #DNSoverHTTPS.
Y en dans Chrome aussi, a priori avec les mêmes conditions pour en profiter (ça semblerait logique)
www.nextinpact.com · Mozilla déploie Encrypted Client Hello pour chiffrer les adresses des sites visitésMozilla a présenté, dans un billet dédié publié aujourd’hui, une nouvelle technologie présente dans Firefox depuis la dernière version 118. L’Encrypted Client Hello, ou ECH, permet d’ajouter une couche supplémentaire de protection...
J'ai testé 5 minutes Windows 11 dans une VM VirtualBox pour essayer de voir comment y configurer #DNSoverHTTPS à l'échelle du système :
- Ça rame comme pas permis
- Impossible de d'améliorer ça (je pense que c'est la transparence qui fait ramer, mais faut une licence pour désactiver)
- Impossible de monter la résolution à plus de 1280×960 (licence toussa)
- Système en français, clavier en QWERTY, parce que
- Trouvé les paramètres DoH : marche pas, prend pas en compte les modifs
VM effacée
habrastorage.org
Обход блокировок: настройка сервера XRay для Shadowsocks-2022 и VLESS с XTLS-Vision, Websockets и фейковым веб-сайтом
_habr.com/ru/articles/728836/ #dns2socks #чебурнет #adguard #Shadowsocks #DNSCryptProxy2 #роскомпозор #ODoH #обход_блокировок #docker #DNS-proxy #DNSSEC #doh #unbound #DoQ #privacy #antiZapret #DNS #dnsleaktest #ТСПУ #wireguard #суверенный_рунет #DNSCrypt #блокировка_VPN #сувенирный_интернет #АСБИ #DNS-over-HTTPS
Die schwierige Suche nach Quantencomputer-sicherer Kryptografie
Quantencomputer der nächsten Generation würden asymmetrische kryptografische Schlüssel schnell knacken. Das gefährdet auch das weltweite Domain Name System.
#Algorithmen #DNS #DNSoverHTTPs(DoH) #DNSSEC #GitHub #Internetprotokolle #Quantencomputer #Security #Verschlüsselung
Replied in thread
@hermogenes I pretty much agree with you, actually. I have used #Firefox for years and appreciated what goes into it, and of course their recommendation is still... Firefox, with changed settings.
That said, I've recently tried out #LibreWolf, itself a Firefox fork. And, wow. The privacy game is so much nicer out of the box; I need far fewer plugins and it's all just... working. Very, very impressed.
Re #DNSoverHTTPS (#DoH), I guess it's: who's your adversary? Sketchy wifi or CloudFlare?
Slap This Big Red Button for an Instant Social Media Detox - Dangerous machines, like ones that can quickly reduce you to a fine red mist or a ... - https://hackaday.com/2022/09/30/slap-this-big-red-button-for-an-instant-social-media-detox/ #internethacks #dnsoverhttps #socialmedia #blocker #wemosd1 #detox #doh #iot #spi #vpn
HackadaySlap This Big Red Button For An Instant Social Media DetoxDangerous machines, like ones that can quickly reduce you to a fine red mist or a smoking cinder, tend to have a Big Red Button™ to immediately stop whatever the threat is. Well, if a more dangerou…
Netzwerkgeräte verschlüsseln ihre DNS-Anfragen oft nicht, was ein Loch in den Privatsphärenschutz reißt. Mit passenden Gegenmaßnahmen lässt es sich stopfen.
FAQ: Verschlüsselte DNS-Anfragen
FAQ: Verschlüsselte DNS-Anfragen
www.heise.deFAQ: Verschlüsselte DNS-AnfragenNetzwerkgeräte verschlüsseln ihre DNS-Anfragen oft nicht, was ein Loch in den Privatsphärenschutz reißt. Mit passenden Gegenmaßnahmen lässt es sich stopfen.
Das Internet Systems Consortium (ISC) integriert DNS over HTTPS in seinen DNS-Client dig. Eine Entwicklerversion steht für Tests bereits zur Verfügung.
DNS-Client dig lernt DNS over HTTPS
DNS-Client dig lernt DNS over HTTPS
www.heise.deDNS-Client dig lernt DNS over HTTPSDas Internet Systems Consortium (ISC) integriert DNS over HTTPS in seinen DNS-Client dig. Eine Entwicklerversion steht für Tests bereits zur Verfügung.
DoH besorgt manche Experten. Oblivious DNS over HTTPS (ODoH) soll es jetzt richten. Cloudflare und Apple wollen Hostnamen und IP entkoppeln.
Cloudflare veröffentlicht neue Protokolle für mehr Privatsphäre
Cloudflare veröffentlicht neue Protokolle für mehr Privatsphäre
www.heise.deCloudflare veröffentlicht neue Protokolle für mehr PrivatsphäreDoH besorgt manche Experten. Oblivious DNS over HTTPS (ODoH) soll es jetzt richten. Cloudflare und Apple wollen Hostnamen und IP entkoppeln.
Nice, so I have DoH and DoT running!
DoT is sadly not fully configured on the client side yet due to missing SNI headers that is caused by NetworkManager and systemd-resolved. But I work on that one:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/528
gitlab.freedesktop.orgAllow proper DoT configuration in systemd-resolved (#528) · Issues · NetworkManager / NetworkManagerWith version v245 of Systemd, systemd-resolved allows to configure servernames for DNS-over-TLS servers using the 1.2.3.4#server-name notation. This is important because it uses...
[#BotActu] « Comcast’s Xfinity Internet Service Joins Firefox’s Trusted Recursive Resolver Program » https://blog.mozilla.org/blog/2020/06/25/comcasts-xfinity-internet-service-joins-firefoxs-trusted-recursive-resolver-program/ #TrustedRecursiveResolver(TRR) #InternetServiceProvider(ISP) #PressReleases #DNSoverHTTPS #MozillaNews #Statement #Firefox #Privacy #DoH
The Mozilla BlogComcast’s Xfinity Internet Service Joins Firefox’s Trusted Recursive Resolver Program – The Mozilla Blog
Replied in thread
I'll just hold off adopting #DNSoverHTTPS for now.
#OpenDNS #DOH (doh.opendns.com) is weird:
- returns IPs from a different country, whereas dns.opendns.com returns the closest IP possible;
- traceroute can't reach it even with a hundred hops. The first 10 or so hops are the same as with dns.opendns.com, but then it seems to disappear into some abyss.
Google and CloudFlare don't have these problems, so if I want #DNSoverHTTPS, I have to decide between these two. 
(NextDNS is not an option because I don't need filtering and don't want to register an account with them.)
#dnsoverhttps ( #DoH) arrive dans #windows10 : comment ça marche ?
https://www.nextinpact.com/news/107261-dns-over-https-doh-arrive-dans-windows-10-comment-ca-marche.htm
#Microsoft adds initial support for #dnsoverhttps ( #DoH) in #Windows Insiders.
https://www.zdnet.com/article/microsoft-adds-initial-support-for-dns-over-https-doh-in-windows-insiders/#ftag=RSSbaffb68
www.nextinpact.comDNS over HTTPS (DoH) arrive dans Windows 10 : comment ça marche ?Après les navigateurs, les OS ! Windows 10 sera-t-il le premier à supporter nativement DNS over HTTPS ? Cela semble bien être le cas puisque l'on peut...
A #firefox tip to avoid #github and other #DNSCensorship currently going on in #Spain
https://diaspora-fr.org/posts/4627397
(What? An EU country censoring github? Are they going crazy? Oô)
#doh #dnsoverhttps cc @bortzmeyer tu es probablement au jus de ce qui se passe là-bas mais bon.
diaspora-fr.orgHey, folks from Catalonia/Spain who are hit by today's governmental...Hey, folks from Catalonia/Spain who are hit by today's governmental DNS blocks affecting GitHub. Firefox has an experimental solution for you.
Head over to your Firefox preferences -> Network Settings -> Enable DNS over HTTP. That will resolve all domains via Cloudflare, which is not affected by the DNS blocks, and cannot be affected. If you don't like Cloudflare, select "custom" as your DNS-over-HTTP provider, and enter https://dns.digitale-gesellschaft.ch/dns-query as the resolver URL. Check for their privacy terms (https://dns.digitale-gesellschaft.ch/).
Note that DOH support in Firefox is considered experimental, but it's probably better than having your DNS queries to GitHub (and who knows what else) blocked by your government.
Stay safe out there.
(please share this with people who are affected, and who currently have trouble accessing GitHub.)
[Repost due to dead URL]
There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.
Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:
https://git.shivering-isles.com/container-library/dns-over-https
git.shivering-isles.comProjects · Container Library / DNS over HTTPSProvides container images for an DoH proxy. https://dns.shivering-isles.com/dns-query