Jump to content


Photo

DoH on FF or Chrome

Good or bad?

  • Please log in to reply
6 replies to this topic

#1 40H3X

  • PLi® Contributor
  • 3,935 posts

+123
Excellent

Posted 30 November 2019 - 09:46

Any comments like on opt-in or opt-out...

Hardware: Vu+ Uno 4k SE - HDD 500GB 2.5 inch - Fuba 78 cm - Tripleblock LNB Quad 19.2/23.5/28.2 - DS918+
Software : OpenPLi - OScam - Settings van Hans  -  Autotimer  -  EPGImport

---------------------------------------------------------------------------------------------------------------------------------------

Many answers to your question can be found in our new and improved wiki.

 

 


Re: DoH on FF or Chrome #2 WanWizard

  • Forum Moderator
    PLi® Core member
  • 53,952 posts

+1,071
Excellent

Posted 30 November 2019 - 14:15

DoH?


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), Octagon SF8008 (S2+T2), SAB Alpha Triple HD (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: DoH on FF or Chrome #3 40H3X

  • PLi® Contributor
  • 3,935 posts

+123
Excellent

Posted 30 November 2019 - 19:13

Sorry your right, so let met enlighten, Firefox is now actively rolling out dns over https (DoH) https://support.mozi...lication-dnsnet. The dns server they prefer will not be the one from your provider, but cloudflare in FF. Although encrypting your dns requests seems a good thing, like in for instance reducing the risk of a man-in-the-middle attack, letting your browser choosing a dns for you might not be, as it provides this server with a huge amount of data.

Hardware: Vu+ Uno 4k SE - HDD 500GB 2.5 inch - Fuba 78 cm - Tripleblock LNB Quad 19.2/23.5/28.2 - DS918+
Software : OpenPLi - OScam - Settings van Hans  -  Autotimer  -  EPGImport

---------------------------------------------------------------------------------------------------------------------------------------

Many answers to your question can be found in our new and improved wiki.

 

 


Re: DoH on FF or Chrome #4 WanWizard

  • Forum Moderator
    PLi® Core member
  • 53,952 posts

+1,071
Excellent

Posted 30 November 2019 - 19:27

Ah, I was thinking Homer Simpson. ;)

 

I'll won't use it, as I use both a local DNS server (for local/internal domains) and a local hosts file to be able to override DNS (when I'm testing). Apart from all the privacy concerns, but that is currently already an issue with using Google or Cloudflare DNS....


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), Octagon SF8008 (S2+T2), SAB Alpha Triple HD (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: DoH on FF or Chrome #5 40H3X

  • PLi® Contributor
  • 3,935 posts

+123
Excellent

Posted 30 November 2019 - 19:43

LoL, :D


Hardware: Vu+ Uno 4k SE - HDD 500GB 2.5 inch - Fuba 78 cm - Tripleblock LNB Quad 19.2/23.5/28.2 - DS918+
Software : OpenPLi - OScam - Settings van Hans  -  Autotimer  -  EPGImport

---------------------------------------------------------------------------------------------------------------------------------------

Many answers to your question can be found in our new and improved wiki.

 

 


Re: DoH on FF or Chrome #6 Erik Slagter

  • PLi® Core member
  • 45,991 posts

+513
Excellent

Posted 14 December 2019 - 10:30

I don't see the advantage there? Replacing one villain by another?

 

MITM attack is prevented by DNSSEC but it's just as popular as IPv6  :huh:

 

Best way is to run your own DNS server and have it bypass your provider's DNS server, make it query the root servers.

 

On the other hand, I myself am not very secretive about what DNS records I am fetching. You should know that about 75% of all DNS requests are not under your control but are e.g. a result of fetching a HTML page which contains lots of referrals to third parties (think spammers, trackers, etc). So one can never be held responsible for obtaining a certain DNS record.


* Wavefrontier T90 with 28E/23E/19E/13E/9E/4.8E/0.8W/5W via SCR switches 2 x 2 x 6 user bands
* Ziggo digital cable TV (FTA)
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.

Re: DoH on FF or Chrome #7 40H3X

  • PLi® Contributor
  • 3,935 posts

+123
Excellent

Posted 14 December 2019 - 12:16

 

Best way is to run your own DNS server and have it bypass your provider's DNS server, make it query the root servers.

 

 

 

That is my conclusion also, after considering the following:

 

With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing ;)

 

So I use unbound, this way you avoid upstream providers completely and this local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent.

 

Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it’s been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated.

 

So for these reasons, I prefer unbound to encrypted DNS:

  1. No upstream DNS provider has your DNS history.
  2. The results are unfiltered.
  3. You have equal assurance that the DNS traffic has not been altered in transit.
  4. There is no less privacy from the ISP.
  5. Generally faster.
  6. I have complete control over my DNS resolver.

The last one I think is the most important to me, and for those who want privacy, I would recommend a VPN service ;)


Hardware: Vu+ Uno 4k SE - HDD 500GB 2.5 inch - Fuba 78 cm - Tripleblock LNB Quad 19.2/23.5/28.2 - DS918+
Software : OpenPLi - OScam - Settings van Hans  -  Autotimer  -  EPGImport

---------------------------------------------------------------------------------------------------------------------------------------

Many answers to your question can be found in our new and improved wiki.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users