Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

  1. #1
    Join Date
    Aug 2015
    Beans
    454

    I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Hello everyone, I'd like to know what everyone thinks of Firefox's DoH (DNS over HTTPS) and if I should enable it. I have no idea what DoH is, so I need some clarification on it.

    I've done some research on my own, but it's still confusing to me. From what I've gathered, DoH will prevent your ISP from determining what DNS requests you make and that Firefox uses Cloudflare by default. I don't understand this, can someone explain thanks.

  2. #2
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    the choice is yours. ISP won't be able to see what sites you are looking at with DOH, but the data will go to another server. is that server safe? according to Mozilla it is.
    more here: https://support.mozilla.org/en-US/kb...dns-over-https
    Read the easy to understand, lots of pics Ubuntu manual.
    Do i need antivirus/firewall in linux?
    Disk backup (works on newer PC): Clonezilla
    User friendly full disk backup Redobackup is now back as Rescuezilla

  3. #3
    Join Date
    Jan 2006
    Location
    Sunny Southend-on-Sea
    Beans
    7,639
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    There's some more information about it here.

  4. #4
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Quote Originally Posted by ardouronerous View Post
    Hello everyone, I'd like to know what everyone thinks of Firefox's DoH (DNS over HTTPS) and if I should enable it. I have no idea what DoH is, so I need some clarification on it.

    I've done some research on my own, but it's still confusing to me. From what I've gathered, DoH will prevent your ISP from determining what DNS requests you make and that Firefox uses Cloudflare by default. I don't understand this, can someone explain thanks.
    Let's look at the chain of security precautions involved in visiting a modern website. Now that almost all websites use https, it's much harder for bad actors to spy on what we are doing within actual web pages. However, https doesn't kick in until we reach the actual site itself. The road that we take getting to that website is still broadcast to everyone in the clear. In particular, these days, most routers are loaners from ISPs and they are preconfigured to send DNS queries to the ISP's DNS servers. So, while the ISP can't see what you are doing inside your banking site (provided your bank uses https), they do know that you're visiting it because they are the ones who received your request to go there. And even if you use a different DNS server, say Google's, your ISP is still seeing all that DNS traffic in clear text, and can trace all of your comings and goings simply by intercepting your DNS queries.

    The technology behind DoH creates an encrypted tunnel to look up DNS queries from a third party DNS server. By encrypting such queries, it not only allows you to bypass your ISP's DNS servers, it prevents your ISP from spying on those queries. If they tried to do so, they would just get a gobbledegook stream of encrypted packets.

    But don't get a false sense of security. Your ISP has other means to trace your traffic. After all, it resides at a pretty basic level in your whole network infrastructure. By using DoH, even if your DNS queries are no longer an open book, it's your ISP that has to manage where each data packet gets sent, how many nodes it must traverse, and how the return packets get back to you. This route is still easily viewable by them. However, it is harder for them to track and record such routes than it is to simply log each and every one of your DNS queries. So, while DoH makes life harder for them, it is actually not effective at hiding your activities from your ISP. Its real value is in preventing DNS poisoning, MitM attacks and site spoofing, because it's almost impossible to taint DNS packets that are encrypted.

    If you really don't trust your ISP (and it's admittedly getting harder and harder to do so), DoH won't help you. What will help you is a VPN. A VPN creates an encrypted tunnel between you and the VPN provider. If you create this tunnel at the router level, all of your traffic will be channelled to the VPN before it goes to whatever site you are visiting. All return packets also go to the VPN before being sent back to you along that same encypted pipe. Your ISP sees nothing but an encrypted stream of traffic going both ways only to your VPN provider. They can traceroute and log all they want—they can even disassemble each data packet—but they cannot see what you are up to, where you have visited or what sort of data you are transmitting.

    Don't rest easy just yet though. Obviously, your VPN provider is now the weak link. It now stands in the same position that your ISP used to occupy. It can see all of your traffic, must decipher your DNS queries to figure out how to resolve them, and can traceroute your data packets from end to end. This is why it is so important to choose a good VPN provider. A good one won't keep logs, won't traceroute and is sufficiently capitalized that it has the computing resources to run all of its infrastructure in volatile RAM so that if their machines ever get confiscated, there is absolutely no record of activity. When choosing a VPN provider, do your research and choose carefully.

  5. #5
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Thread moved to Security as the more appropriate forum.

  6. #6
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,847
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Honestly -- I think DOH is a tool that should be ran at the router level and not the individual application level. I've had DOH setup on my pfSense router now for a couple of years. I have much better control where the DNS queries can be directed. At the application level, Firefox controls these choices.

  7. #7
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Firefox gives us the option to define our own DNS Server: General → Network Settings → Settings → Enable DNS over HTTPS → Use Provider <Cahnge to "Custom"> → <Enter URL of your DNS provider>

    …but I understand what you are saying. Setting it in the router makes for a more fundamental enhancement. At least Firefox gives us the option; Chrome doesn't allow DoH unless one adds a very arcane switch to the command line when invoking it.

    I try to kill two birds with one stone by setting my DNS provider to dns.adguard.com. In addition to bypassing my ISP (or other tracking providers like Google), it also filters ads. Since setting things up this way, I have not had to use an ad blocker on the browser. I can't tell you if adguard logs your DNS queries. They say they don't but we have to take them at their word—ie I don't think it's ever been tested in a court case.

    PS. For those interested, to invoke DoH with Chrome, append the following switch to /usr/bin/google-chrome-stable
    Code:
    --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST"
    …this directs to cloudflare. To direct to adguard replace 1.1.1.1 with:
    Code:
    176.103.130.130

  8. #8
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,847
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Hmm, I've never heard of dns.adguard.com. I took a look at their website. I'm not saying its sketchy - however when companies are giving away products for free it's my belief they have to be monetizing the data in some manner.

  9. #9
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    Quote Originally Posted by kevdog View Post
    Hmm, I've never heard of dns.adguard.com. I took a look at their website. I'm not saying its sketchy - however when companies are giving away products for free it's my belief they have to be monetizing the data in some manner.
    Yes, it's a very valid concern. However, we already know that ISPs, Google and probably Cloudflare are monetizing our data, so I don't see how to avoid having any concerns at all. They claim that they make their money from corporate customers and large institutions who have to pay for ad-blocking and swear up and down on a stack of holy texts that they don't log anything, but as I mentioned, we have nothing more to go on but their word. I use them specifically to block ads and harbour no illusions about the possibility of DNS logging.

    As already mentioned, for surfing that I'm serious about anonymizing, I use a VPN. Actually, I use a VPN in combination with TOR-Browser, but that's too far outside the scope of the OP's original question.

  10. #10
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,847
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I don't know what DoH (DNS over HTTPS) is and if I should enable it?

    I have no idea what any DNS provider does with their data in terms of monetization of other nefarious activities. I'm using Cloudflare. I run a bunch of server with Lets Encrypt Certs. Cloudflare's interface and ability to interact with acme.sh makes things real easy to manage.

    In terms of VPN - I guess its how much do you trust your VPN provider as many might keep logs and such.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •