Announcement

Collapse
No announcement yet.

DNS over HTTPS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS over HTTPS

    This is the nearest forum that I could find to post the following.

    How many of you knew that Firefox or Google Chrome no longer take any notice of what we use as our preferred or alternative DNS server is with regard IPv4 or IPv6?

    All of you? None of my friends did – they all thought that their router settings were being used, as I did.

    As most of you know, https encrypts input and output but DNS queries were in plaintext. I wrote 'were' because, from Wikipedia, “In February 2020, Firefox switched to DNS over HTTPS (DoH) by default for users in the United States.” DoH queries resolve over HTTPS for privacy, performance, and security.

    I don't have Google Chrome, but with Firefox navigate to 'Settings'. At the bottom of that page is Network Settings. Click on 'Settings...'. At the bottom, you will see 'Enable DNS over HTTPS'. Mine was selected - a friend of mine had his unselected. Anyway, if you select it, the 'Use Provider' comes up with Cloudfare (Default). That is what Firefox will use regardless of how your router entries have been set up. I normally read the Firefox release notes – it looks like I missed the one mentioning DNS over HTTPS, assuming that they told us.

    The dropdown gives options of Cloudfare (Default), NextDNS, and Custom. Custom is interesting because over at GitHub there is a long list of DoH servers to choose from. We simply drop a URL into Custom. This is good because not everyone is overly keen on Cloudfare even though it is reckoned to be the fastest.

    I have done quite a bit of testing and found that we need to use a really slow DNS server before our brains actually perceives a noticeable difference in web page downloads. You could use half the speed of Cloudfare and not perceive any difference even with a web page making a lot of DNS queries and there are a lot of DNS servers faster than half the speed of Cloudfare.

    Microsoft, as usual, is slow to catch on and DoH is not available with the current Microsoft Edge browser in Windows 10 but is available with the Insider Program. It is also available with Windows 11. Unlike Firefox and Chrome the server choice is hard-wired. It appears that the list currently has CleanBrowsing (Family Filter), Cloudfare, Quad9, NextDNS, Google (Public DNS), and OpenDNS. It looks like there is a way to add to the list, but I have not pursued that. There were some performance issues, and it was 'pulled' from the Insider Program but is back on again. There is no schedule date published yet for when it will be available in a stable release of Windows 10.

    Quad9 is an interesting choice. From Wikipedia: “Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zurich. It is the only global public resolver which is operated not-for-profit, in the public benefit.”

    Call me old-fashioned, but I like the sound of that and one of the reasons why I use Firefox via Mozilla which is a non-profit foundation.

    Techradar did a Quad9 review a couple of years ago and found that it goes beyond just blocking malware and could well be the best for blocking any 'nasties'.

    That is all very well, but how fast is it? According to tests on the internet, it is not far behind Cloudfare. Quad9 have a DNS server in London and I live on the outskirts of West London. From my perspective, it is as fast as Cloudfare.

    Guess what I now use? Yep!

    If you are happy with Cloudfare there is a better one - Cloudfare with malware blocking.

    Cloudfare with malware blocking

    Microsoft Edge (Windows 10)

    IPv4
    1.1.1.2
    1.0.0.2

    IPv6
    2606:4700:4700::1112
    2606:4700:4700::1002

    Firefox, Google Chrome, and others

    DNS over HTTPS: https://security.cloudflare-dns.com/dns-query

    If you like the sound of Quad9 here are the entries.

    Quad9

    Microsoft Edge (Windows 10)

    IPv4
    9.9.9.9
    149.112.112.112

    IPv6
    2620:fe::fe
    2620:fe::9

    Firefox, Google, and others

    DNS over HTTPS: https://dns.quad9.net/dns-query

  • #2
    Hmmm, interesting.
    "In February 2020, Firefox switched to DNS over HTTPS (DoH) by default for users in the United States.”

    It was not enabled in my FF - guess they haven't got around to enabling it by default for everyone.

    Just turned it on with a custom "9.9.9.9" ( it appears to accept either a URL or an IP address)

    Thanks for that info!

    Comment


    • #3
      In Google Chrome:

      Click on the "Hamburger"
      Select "Security and Privacy"
      Select "Security"
      Scroll down to Advanced
      Tick "Use secure DNS"

      You have two options:
      1. With your current service provider
      (Secure DNS may not be avaiable all the time)

      2. With ... a pulldown that gives you
      Custom
      CleanBrowsing (Family Filter)
      OpenDNS
      Cloudfare
      Google

      Custom doesn't accept an IP address. Enter one and it tells you to "Enter a correctly formatted URL"



      Comment


      • #4
        I run my own DNS caching based on OpenDNS
        <b>George W. Bleck</b>
        <img src='http://www.blecktech.com/myemail.gif'>

        Comment


        • #5
          Originally posted by George Bleck View Post
          I run my own DNS caching based on OpenDNS
          Have you checked whether your browser honours your own DNS caching or if it override your setting (as per David's post)

          Comment


          • #6
            it's set to use custom, my own.
            <b>George W. Bleck</b>
            <img src='http://www.blecktech.com/myemail.gif'>

            Comment


            • #7
              Originally posted by Stuart
              (it appears to accept either a URL or an IP address)
              When I saw Cloudfare (Default) I tried Quad9, but that did not work. There is very little at 'Get help' on how to use the Custom box – I got the URL tip from a website which gave the GitHub list.

              Originally posted by Stuart
              It was not enabled in my FF - guess they haven't got around to enabling it by default for everyone.
              Firefox has admitted that – they say it depends on where the user is located – goodness knows why. Having said that, a friend's Firefox had DoH disabled, and he only lives about 20 miles west of me.

              There is a debate about whether to make DoH mandatory or not. Some are having issues with it, so it is probably best to keep it optional. It may need tweaking – it is fairly new technology, after all.

              Comment


              • #8
                Using an IP address in Firefox does not work.

                Cloudfare have a tester page here: https://cloudflare-dns.com/help/

                With 1.1.1.1 in the Custom box I get:

                Click image for larger version

Name:	TestOne.jpg
Views:	249
Size:	29.9 KB
ID:	813515

                On the other hand, with https://security.cloudflare-dns.com/dns-query in the Custom box I get:

                Click image for larger version

Name:	TestTwo.jpg
Views:	235
Size:	31.2 KB
ID:	813516

                When we edit the Custom box, we should Restart our system. I typed in Bullshit and ran the tester page without Restarting. I got the second image above again.

                So for Quad9 don't use 9.9.9.9 – use the URL in the opening post.

                We have a bug in Firefox. If the Custom entry does not make sense to it, then the router settings will be used. Well, not really a bug but is bad practice. According to Stuart Google Chrome steps in.

                Note that the tester page checks for Cloudfare - use another valid URL, and we get the first image above.


                Comment


                • #9
                  Originally posted by David Roberts View Post
                  Using an IP address in Firefox does not work.

                  ...

                  So for Quad9 don't use 9.9.9.9 – use the URL in the opening post.
                  OK, thanks. I'll change it to the URL.

                  Comment


                  • #10
                    Just for the record Microsoft's Edge use of DoH is in the Insider Program build 19628 and above.

                    Comment


                    • #11
                      I have just installed Apache2 server on one machine so I can access common data, files, backups etc ... on my own LAN and I can routinely just use the router IP to access the server from any machine in the LAN. It is not exposed to the internet, is behind a NAT router but it is really useful for fast access to whatever I want to put on it.

                      I had a quick look at using dynamic DNS but it appears to involve external access outside the LAN so I did not bother.
                      hutch at movsd dot com
                      The MASM Forum

                      www.masm32.com

                      Comment


                      • #12
                        BTW, you can get Quad9 for Android 'phones. Play Store>Quad9 Connect. Android require DNS over TLS (DoT) and why Quad9 use that. DoT uses a separate port. DoH uses the same port as HTTPS so not only is it encrypted, it is also camouflaged.

                        Comment


                        • #13
                          I now have DoH with Microsoft Edge.

                          With Microsoft Edge go to 'Settings>Privacy, search, and services'. Toward the bottom at 'Use secure DNS to specify how to lookup the network address for websites'. I now have this.

                          Click image for larger version  Name:	EdgeCloudfare.jpg Views:	54 Size:	68.5 KB ID:	813576

                          When I executed the Cloudfare tester page in post #8 I got the first image in post #8, so I assumed that DoH was not working in Edge yet, as many people had indicated. However, those indications are about 18 months to two years old.

                          However, I made the mistake of running the tester page from Firefox. if I execute the tester page from within Edge, I get the second image in post #8.

                          Bear in mind that Firefox is set up to use Quad9 for DoH and router, so it looks like DoH is working in Edge.

                          There are some commands related to DoH which do not work, such as adding to the default list, so DoH is not fully implemented.

                          If we go to What's my DNS Server and click on 'Press to Check Your DNS Server(s)' in FireFox I get wall-to-wall Woodynet. Woodynet? It is a long story, but that is Quad9.

                          If I do a server check from within Microsoft Edge I get Cloudfare.

                          Conclusion: I now have DoH with Microsoft Edge.

                          I decided to opt for OpenDNS and confirmed with the DNS Server check. Cloudfare is the fastest, but I don't perceive a performance hit with OpeDNS.

                          It seems to me that no one appears to be up to speed on this subject. Microsoft doesn't help. I remember when they added AES and SHA2 to XP SP3 after CNG was introduced in Vista. I found that out accidentally and reported it to the forum. Many people didn't bother with SP3 because they thought it was simply a consolidation service pack.
                          David Roberts
                          Member
                          Last edited by David Roberts; 12 Jan 2022, 07:04 PM.

                          Comment


                          • #14
                            I keep referring to router settings. I should really write Windows settings which override the router settings. My router settings are configured to use whatever my ISP recommends which, I imagine, is their DNS Server. I could add my own, but I don't bother since I configure the Windows settings. Of course, if a non-Windows device uses the router, then the router settings will be used.

                            So, we have the router settings overridden by the Windows settings and now, with Firefox, Google Chrome, and others, we have, via DoH, the Windows settings overridden.

                            How does Mr and Mrs average PC user cope with all this? Well, they don't, do they? Both Firefox and Microsoft should try to explain in plain English how to configure the DNS Servers. A lot of ISP DNS Servers are slow, so many folk would benefit from using others.

                            Comment

                            Working...
                            X