Picture

Hi, I'm Xerz.

A baka neko who may someday post something!

How to make DNS-over-HTTPS your best friend

Dark clouds are rising on the horizon. After years of development and testing, Mozilla has announced they will finally push DNS-over-HTTPS by default. With Cloudflare. That's right. Those 🅱️astards want to take away your freedoms and submit us all to capitalistic nazi-communism! We all thought they fought for Internet decentralization, freedom of expression and privacy against the fat cats, but in fact they were the villain all along!

Woah woah woah, not so fast! While it is true that having all web traffic for millions of people go through a centralized point is concerning, there's a lot more to DoH than it seems! In fact, you can take it to your advantage so it (almost) completely protects your web clicking in just these simple steps:

  1. Use Firefox
  2. Choose a DNS-over-HTTPS provider or make your own
  3. (Optional, see below) On Firefox, go to about:config and set network.security.esni.enabled to true
  4. (Risky, see below) Next, on that same page, you can set security.OCSP.enabled to 0
  5. Enable DNS-over-HTTPS 🎉
  6. (Optional, see below) You can also go back to about:config and change network.trr.mode to 3

You may be wondering though, why should you believe me? (Disclaimer: I'm not a superexpert!) What even is going on there? Are you really telling people to disable a security feature? Well, let me explain!

Where are we coming from?

First off, why is this all a thing? Why would Mozilla need to fix what ain't broken, and fix it in a way that seems completely opposite to their goals?

Well, it turns out it is broken! A lot! First off, every website you visit is screamed to everyone around, from the people on your same WiFi or Intranet to the companies and governments in the route to that site, and anyone can fool your browser into visiting fake sites as well! This means that DNS is currently the weakest point of the whole Internet architecture¹, since currently what you do on those sites should be encrypted by tools like HTTPS. Sound familiar? That's right, HTTPS encryption is what also powers DNS-over-HTTPS!

¹ Besides humans.

If you're wondering how this all works, here's the first search result that pops up and here's an article with nice drawings by Lin Clark, but basically: instead of screaming into a megaphone where you're going and obeying the first response it gets, the computer asks to a DNS-over-HTTPS server for its certificate (like a passport for encryption) and then they agree to speak to each other in a safe, encrypted way. From there on, every time you need to visit some website, the DNS query will be hidden to curious eyes and the response can't be faked without the proper keys.

Now, why Cloudflare? Well, it was chosen for Firefox because if you want to make everyone use DNS-over-HTTPS you'll need a default, and that requires trusting someone who can reliably run an expensive architecture for millions of people around the world. To meet privacy demands, Cloudflare promises they will be nice, storing and telling only Mozilla as little as possible, deleting that data within 24 hours, and using all legal means to avoid giving it all out to governments.

If you don't trust Cloudflare, though? That's OK, you don't need them! DNS-over-HTTPS works by asking nicely to the server of your choice, and there's plenty available! Right now I'm testing the one provided by the Foundation for Applied Privacy since they seem to be trustworthy and meet all of my checkboxes (like a fediverse account!), but choose the one that makes you happier. Still not convinced? Self-hosting is the answer! You can get an old computer lying around or a cheap Raspberry Pi, and then install and configure something like AdGuard Home (instructions for DoH here) or Pi-Hole (instructions for DoH here).

You may also be one of those asking "but Xerz, why not DNS-over-TLS?". Simply put, DNS-over-HTTPS is basically the same, but delivering it through a protocol as commonplace as HTTPS makes it harder to block, as it can easily mix up with regular browsing. And well, it's easier to work with for devs, since it's so popular and familiar.

There's a (bunch of) catch(es)

Alright, DNS-over-HTTPS is good, got it. But of course, all that glitters is not gold. There's actually a good bunch of caveats to take into account.

Support isn't nearly universal

If people are getting so angry about Mozilla pushing DNS-over-HTTPS is in part because it's such a rare feature that people are shocked about it. Besides Firefox, there's no OS or browser that officially implements it. Chrome apparently supports it on Canary, which could hint at stable support in the near future, but since I'm on Linux I can't check that out (thanks, Google). That's it. This is why you'll have to stick with Firefox, which you should be doing anyway since we need to fight Google's monopoly. If you're worried about performance or battery usage, right now Firefox is pushing a lot of interesting stuff, which should become very noticeable starting on version 70 this October, so what are you waiting for!

If you're rather techy, you can also check out dnscrypt-proxy, which should give you a featureful and reliable proxy. There's not much information online, but the wiki in the repo and some tinkering around should be enough.

Oh, and Android has native support for DNS-over-TLS. Close enough.

The chicken and the egg

If you've worked with DNS before and you're already trying out DoH, you may have noticed something weird: while usually you would have to type out a series of numbers and dots to get DNS to work, DoH uses addresses just like those of a regular website. But wait! Don't you need a working DNS to resolve that address first?

Yes.

This means that, indeed, you'll be vulnerable to the same old plain DNS trickery, since you could just get connected to a fake DNS-over-HTTPS provider, which is silly. Either you accept that risk won't go away and move on, or you can make sure to find a DoH provider that works by just typing its IP address. For instance, Cloudflare's 1.1.1.1 that will be used in Firefox can be contacted as https://1.1.1.1/dns-query. While this risk isn't guaranteed since HTTPS doesn't allow seeing to which part of a site you're going to (could be a DNS-over-HTTPS server, could be a video of kittens, who knows! 🙀) and thus an attacker can't always confidently replace a domain without going unnoticed, it's still worth taking into consideration.

This is also required if you want to avoid connecting by accident to a different DNS provider, like the default one used by your connection. Firefox is set automatically to do fallback, which means that it will use the system settings if it can't find some site. This is guaranteed to happen if you're not using a plain IP address, so make sure you choose one! After you've made the right choice and enabled DNS-over-HTTPS, go to about:config and set network.trr.mode to 3, which will tell Firefox to never try to connect using anything but the DNS-over-HTTPS server.

There's still a few more things you might want to take into account when choosing a DoH server: QNAME minimization and DNSSEC.

QNAME minimization

QNAME minimization, query name minimization or RFC 7816 is a fancy name to the concept of your DNS(-over-HTTPS) provider giving as little info about the place you want to visit to other DNS resolvers as possible. Turns out, DNS servers talk to each other when trying to find a website — and you should demand your DNS provider to respect your privacy here as well. Both Cloudflare and Foundation for Applied Privacy promise to enforce this, so that's neat.

DNSSEC

DNSSEC is something so seemingly obvious and essential that it shouldn't have an acronym to look for: a guarantee that the DNS is working as expected, both proving you're talking to the right DNS server and making sure the address you get is the correct one. However, not only it has to be supported by your DNS provider, it also has be implemented by each website on their own domains. It doesn't matter if you're switching to DNS-over-HTTPS or not, this is, as with QNAME minimization, something you should be looking and asking for.

ESNI

ESNI, aka Encrypted Server Name Indication, aka the thing mentioned at step 3, solves the biggest problem left unsolved by DNS-over-HTTPS: the websites you visit still leak! That's because regular SNI was created to allow multiple HTTPS websites to be hosted on the same IPs, and it asks for it without any encryption. Thus, encrypt it, problem solved! This is something that Chrome is working on yet, so again you're stuck with Firefox (shame!) — even then, Firefox doesn't enable it by default, so go to about:config and set network.security.esni.enabled to true.

As with DNSSEC, this is something that requires implementation by each website, but it should work as long as you have DNS-over-HTTPS enabled, regardless of the DoH server you chose!

OCSP

Ah yeah, remember step 4 too? Yeah, it turns out not even ESNI is enough!

Just like SNI does stuff that happens to leak the sites you visit, the Online Certificate Status Protocol is an useful tool for checking that a site's certificate isn't revoked that happens to leak the sites you're visiting. Actually, it's broken too, even for its own purpose. So what do we do? Encrypt that too, of course, with OCSP stapling! And this one doesn't need any configuration, so we're done, right?

Well, here's the catch: by default, browsers still accept plain OCSP, as a temporary compromise between security and privacy. You would expect there to be an option in Firefox to only allow stapled OCSP, and while there's hints at that being the case, the Mozilla wiki also seems to imply the opposite - personally, after some testing, I would consider the latter to apply. Thus, while we don't get anyone to confirm which behavior is true, you're on your own. If you think it's worth it, go ahead and set security.OCSP.enabled to 0, but the drawbacks could be bigger than the advantages.

You're still leaking the IPs you visit

While DNS-over-HTTPS is a very welcome improvement that greatly protects your browsing online, it's still not bullet-proof. Due to the very nature of the Internet, your computer always needs to tell your connection where you're going, and that requires an IP address, which means your Internet provider can still see you're trying to go somewhere and can block it. Luckily enough, many websites share IPs and IP ranges, making such blocking much harder, and regardless there's no way to see what you're trying to do in the first place. Still, if you want something that makes you as anonymous as technologically possible or you need to circumvent IP-specific blocking, Tor is there for you.

You still need to trust the server

As much as we do to make sure our connections are safe, this doesn't mean the websites we're connecting to are safe. That is, for instance, why things like OCSP exist - to prevent mistakes from allowing harm to happen. But there's also no easy solution for issues like phishing or bad practices in businesses. Not much we can do there for now, so make sure you're using services that deserve your trust.

In conclusion

Isn't the web a wonderful, complex, boring mix of patches over patches? This has certainly been a journey, and I'll be very happy if you have managed to finish reading this text without having a meltdown... anyway, I hope this changed your mind on what DNS-over-HTTPS actually is and implies, its real issues and how to befriend such a cute mess. Oh well, have a nice day! 💗

EDIT (2019-09-14): Added new instructions, observations on OCSP, information on TRR fallback and IP leaking