Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
Not necessarily. You could use something like DNSCrypt locally as a resolver which is more private than DoH and this weird combination of the opt-out will hurt you in this case.
Yes I had missed the part of the article where they described their opt-out behavior.
There is no technical reason for them to do it that way and it is a poor way of automatically determining an opt-out for the sake of not pissing off enterprise users (who rely on SNI for filtering). It is needlessly hostile to tie this privacy future to a different one instead of just using a separate toggle and corporate policy setting. ECH isn’t DNS and shouldn’t be tied to the DNS server setting.
For a local annoying example, NextDNS automatically blocks DoH via the canary domain use-application-dns.net. If I set my router up to use NextDNS over DoH, Firefox automatically disables DoH and ECH internally. I want it to use my router’s DNS, because everything is centrally logged, automatically organized by hostname, and it does local caching. I’d still rather my ISP can’t view SNI information. If I want ECH I have to manually enable DoH on every machine, and do more hoops if I want central logging to work correctly.
Regarding no technical reason, you can return these public keys from any normal DNS:
How so? I’m using unbound locally for recursive DNS, but I’ll checkout what DNSCrypt adds since it seems like local encrypted DNS to the recursive servers.
Wouldn’t ECH still work with this setup and this setup be more secure since you’re not handing off your DNS requests to some other company?
It would work, except Firefox is configured to not use ECH if it is not using DoH. I updated my original reply after testing it out. Hopefully they update this behavior in the future, it is very user-hostile right now.
Basically DNSCrypt is designed to hide your IP from the DNS server and your DNS query from your ISP. Basically it relays your DNS query via one server which knows your IP but only sees and encrypted version of your query and response and one server which knows your query but not your IP. Obviously you want both servers to be run by two different organizations.
Not necessarily. You could use something like DNSCrypt locally as a resolver which is more private than DoH and this weird combination of the opt-out will hurt you in this case.
Yes I had missed the part of the article where they described their opt-out behavior.
There is no technical reason for them to do it that way and it is a poor way of automatically determining an opt-out for the sake of not pissing off enterprise users (who rely on SNI for filtering). It is needlessly hostile to tie this privacy future to a different one instead of just using a separate toggle and corporate policy setting. ECH isn’t DNS and shouldn’t be tied to the DNS server setting.
For a local annoying example, NextDNS automatically blocks DoH via the canary domain use-application-dns.net. If I set my router up to use NextDNS over DoH, Firefox automatically disables DoH and ECH internally. I want it to use my router’s DNS, because everything is centrally logged, automatically organized by hostname, and it does local caching. I’d still rather my ISP can’t view SNI information. If I want ECH I have to manually enable DoH on every machine, and do more hoops if I want central logging to work correctly.
Regarding no technical reason, you can return these public keys from any normal DNS:
$ dig +short crypto.cloudflare.com TYPE65 1 . alpn="http/1.1,h2" ipv4hint=162.159.137.85,162.159.138.85 ech=AEX+DQBBvgAgACCLKBP960E1dfY35YFbosHcVzvpz1E4fsqxzwGhtPpZagAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:7::a29f:8955,2606:4700:7::a29f:8a55
How so? I’m using unbound locally for recursive DNS, but I’ll checkout what DNSCrypt adds since it seems like local encrypted DNS to the recursive servers.
Wouldn’t ECH still work with this setup and this setup be more secure since you’re not handing off your DNS requests to some other company?
It would work, except Firefox is configured to not use ECH if it is not using DoH. I updated my original reply after testing it out. Hopefully they update this behavior in the future, it is very user-hostile right now.
Basically DNSCrypt is designed to hide your IP from the DNS server and your DNS query from your ISP. Basically it relays your DNS query via one server which knows your IP but only sees and encrypted version of your query and response and one server which knows your query but not your IP. Obviously you want both servers to be run by two different organizations.