mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated Local DoH (markdown)

Frank Denis 2021-01-04 17:09:44 +01:00
parent 9e384ee872
commit 3b4ce1ed82
1 changed files with 10 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
Local-DoH.md

@ -53,20 +53,21 @@ cert_key_file = "privkey.pem"
## How to enable ESNI in Firefox
Firefox and Cloudflare are running an experiment called ESNI. ESNI is the name of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
Firefox and Cloudflare used to be running an experiment called ESNI. ESNI was the name of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
While this may eventually be a significant privacy improvement, it currently has some caveats to be aware of:
They are both experimenting with ECH, the new revision of the protocol. However, stable versions of Firefox don't support ECH yet, and Cloudflare doesn't support ESNI any longer. Long story short: the SNI encryption experiment currently requires Firefox Nightly.
While this may eventually be a significant privacy improvement, ECH currently has some caveats to be aware of:
- It is a work-in-progress design and has not yet seen significant (or really any) security analysis.
- It hasn't been deployed anywhere, besides an early prototype implemented in Firefox and on Cloudflare servers. Even when using Firefox, ESNI will never be used except when connecting to some websites from Cloudflare customers.
- What has been deployed is still missing an important part to protect against censorship (`GREASE`)
- Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (`NXDOMAIN`).
- Enabling ESNI in Firefox breaks some websites ("Secure connection failed - `SSL_ERROR_NO_CYPHER_OVERLAP`" or "[SSL_ERROR_MISSING_ESNI_EXTENSION](https://www.google.com/search?q=%22SSL_ERROR_MISSING_ESNI_EXTENSION%22)").
- Keep in mind that ECH doesn't exist yet. What is available is only an experiment run by two companies.
- It hasn't been deployed anywhere, besides experiments in Firefox and on Cloudflare servers. Even when using Firefox, ECH will never be used except when connecting to some websites from Cloudflare customers.
- Enabling ECH will trigger an extra DNS query for every single new hostname, even for hosts that don't support ECH. Every time a query for a host that doesn't support is made, an error will be returned (`NXDOMAIN`).
- Enabling ECH in Firefox breaks some websites ("Secure connection failed - `SSL_ERROR_NO_CYPHER_OVERLAP`" or "[SSL_ERROR_MISSING_ESNI_EXTENSION](https://www.google.com/search?q=%22SSL_ERROR_MISSING_ESNI_EXTENSION%22)").
- Keep in mind that ECH is still unfinished. What is available is only a technology preview.
Firefox has a setting to enable ESNI, but for some reason, the web browser ignores it unless it was also configured to bypass your DNS settings.
Firefox has a setting to enable ECH (still called ESNI), but for some unexplained reasons, the web browser ignores it unless it was also configured to bypass your DNS settings.
However, `dnscrypt-proxy`'s local DoH server can be configured in Firefox, so that the ESNI setting will not be ignored.
However, `dnscrypt-proxy`'s local DoH server can be configured in Firefox, so that the ECH/ESNI setting will not be ignored.
After having set up the `local DoH` feature as documented above, open the DoH server full URL (ex: `https://127.0.0.1:3000/dns-query`) as a regular website with Firefox.