DNS-over-HTTPS & GW NS Lookup

I’ve been using Firefox’s DNS-over-HTTPS (DoH) for almost a year. Search firefox doh in an engine of your choice.

It’s been so reliable, months ago I enabled mode 3 and bootstrapped the IP address to disable fallback to system DNS.

In this quick & dirty screen shot while opening a popular news aggravator, 1.1.1.1 (Cloudflare) is opened upon first connection out and persists throughout the session for secure NS lookups. Secure insofar as trust in Cloudflare and Mozilla is concerned. Other DoH servers exist and can be used by Firefox.

Note the port 53 connections to 9.9.9.9 and 148.112.112.112, my system TCP settings for Quad9. (These, of course, would be different for everyone else using other DNS servers or ones configured via ISP DHCP or router settings.)

GW does these port 53 lookups thereby upsetting DoH’s core mission of NS lookup privacy while browsing teh webbuhnetz. These lookups do not compromise DoH’s browser protection against the legion of DNS exploits.

Consequently, disabling GW’s NS lookup would upset the display and logging of valuable network detail.

Given the infancy of secure DNS, overdue by 20 or so years, there is no faulting GW or any other utility in this regard. As well, everything else on the system (RSS, email clients, et al) does the insecure port 53 boogie.

But in looking ahead, GW might consider implementing user configured DoH functionality, optionally. Easier said than done, of course. I wonder if the folks over at The Qt Project have it under consideration, waiting on Linux and Windows to write it into their kernels where application enabled DoH would no longer be essential.

IMHO, DoH will win out over DoT (DNS over TLS).

Unfortunately that will not be the case. DoH has more overhead and other issues as opposed to DNS over TLS. DoT is also an IETF standard, and DoH was just recently adopted.

This is a great read to learn more about the differences and why DoT is preferable overall.
https://www.reddit.com/r/privacy/comments/89pr15/dnsoverhttps_vs_dns_overtls_vs_dnscrypt/

Other great reads:

• DNS Security: Comparing DNS-over-TLS, DNSSEC and DNS-over-HTTPS
• https://www.reddit.com/r/VPN/comments/7s3np2/dns_over_tls_what_is_it_can_i_use_it_does_it_mean/

Be sure to test the following:

• DNSSec
• Cloudflare Tests

Very interesting information! Thanks for sharing these details on dns over https.

For anyone reading this who does not know already, it is possible to disable nslookups completely with GlassWire.

How to disable nslookups with GlassWire
First create a “glasswire.conf” file with your Notepad application.
Inside the GlassWire.conf text file created by Notepad please insert this text:
hostname_enable_nslookup = false
Please move the .conf file to C:\programdata\GlassWire\service
Reboot your PC.

But of course it’s very useful to see nslookups in GlassWire, so as nslookups become more secure we will be sure to use best practices in the future.

With such prescience, you should start buying lottery tickets.

DoH and DoT both provide security above and beyond DNS which, as we know, has none.

DoT uses port 853. DoH, 443, used by the vast, unwashed masses. Gazillions of packets every millisecond. Overhead is irrelevant. As it always has, the Web will adapt if necessary.

Forensic tools can be utilized for expert analysis of port 443 traffic, of course. But everyone knows what’s going on with 853 and who is trying to hide what, anyway?

That reddit soapbox thread… all of Woodcock’s “ugly hack” arguments against DoH are exactly the ones in its favor, pull quotes: camouflage DNS queries as web queries, get them past redirecting proxies, provides the same full-stream encryption as DNS-over-TLS, a non-DNS-specific port (duh, 443).

As well, the discussion is already a year old. At about the same time, Mozilla and Cloudflare embraced DoH and made it accessible to those who care to follow simple instructions to edit about:config. Soon to be in the Privacy & Security UI, I hope. It’s stability and efficacy has, over this time, become demonstrable.

The IETF’s RFC mission can’t be dismissed, but it’s interest has largely become which working group’s presentation will get the next research prize.

Thanks for the test links. I’ve had them bookmarked for a long time. Hopefully they’ll evoke an interest by the general readership here. Here’s another:

ESNI??

For me, end of discussion. Cheers.

Hmmmm. I already have a glasswire.conf file with:

db_file_path=C:\ProgramData\Glasswire\service\glasswire.db
geoip_db_path=C:\ProgramData\Glasswire\service\GeoLite2.mmdb
storage_path=C:\ProgramData\Glasswire\service\storage.db
hostname_storage_time=21600
hostname_enable_nslookup=true
enable_database_check=false

It’s stamped 6/3/2019 and I know fore sure I didn’t create or edit it, then or any time else.

Your instruction to create a glasswire.conf file and move it to that path would evoke an exists-replace yes/no response.

enable_database_check=false relates to “Enable manual file analysis by VirusTotal,” which I have unchecked. Correct? If not, what?

My memory fails me and I might be thinking of something else, but wan’t there once a setting to enable/disable NS lookups in GW’s UI?

Well, my point was to get DoH into GW settings STAT in a hint-hint nudge-nudge sort of way. Wouldn’t that be a horn to toot on your Features page?

Thanks!

@dallas7

We are working on an update with host lookup changes. It will be part of our major backend update that will be coming in the fall.

Did you ever contact us for support and we asked you to make logs? If so you may have a conf file from that.

You can just add that text to your conf file and it should make the change.
“hostname_enable_nslookup = false”

I’m glad to see that DoH has also been added to IETF recently. Hopefully fingerprinting will also be something added soon. At least Firefox now has DoH added into the General > Network settings.

Here’s another good check: https://panopticlick.eff.org/

Trying to “camouflage” DNS has no real point. There’s no point because your ISP will still get it regardless.

The real benefit is making sure it’s not tampered with. It really doesn’t need to be handled over HTTPS, as there’s already a separate, dedicated port (like a lane of traffic) for it that as I mentioned, will allow reduction in overhead and latency. So you can either have HTTPS traffic and the DoH - DNS traffic in with DNS (like they’re trying to share the same lane of traffic) which causes the latency and overhead (a traffic jam) as I mentioned. Or you can have HTTPS traffic and and DoT traffic in their own respectable lanes. Secure. Safe. Faster.

It’s good that people are embracing DoH because at least there will be some layer of security as opposed to none at all, preventing tampering or injecting like what some ISPs love to do.

Also, are you aware of your tone when you’re posting?

@Tarun

If you use Cloudflare DNS or some other DNS service, will your ISP still get your DNS? I thought if you used a third party DNS provider the ISP will not see your DNS.

@Ken_GlassWire They can, to an extent. You also have to consider shared hosting, this the same IP for multiple sites, and so on.

This will explain a good deal about it.

Hi Ken
I found this read - Does changing my computer’s DNS prevent my ISP from tracking my browsing activity?
https://www.quora.com/Does-changing-my-computer’s-DNS-prevent-my-ISP-from-tracking-my-browsing-activity.

Sorry for the late response. For some reason yahoo started dumping some, but not all of, the forum updates into the spam folder which I don’t check as often as I should. They did the same for my SpyShelter marketing emails, too. Sigh.

I can’t recall any instructions to make logs from support, but considering the span of years it’s quite possible. I would use my gmail account for that and a quick search there didn’t return any results.

This is confusing as a conf (still stamped 6/3/2019) file doesn’t fit the construct of a log file; there’s nothing being logged in there. Whereas I have a log folder in service, stamped 12/14/17, which is empty.

As everything is working OK, I’m OK with the conf file and consider it just another element in the perplexing nature of the Universe.

Thanks!

For those following or finding this thread, while Firefox has implemented DoH configuration in Network Settings with the option to set an alternate server, this merely changes the mode from 0 to 2, which is fine.

However, this still allows Firefox to fall back to the System DNS should a Cloudflare lookup fail. Considering the near 100% reliability of its services, a failed Cloudflare lookup might be more of a security feature than a failure.

In about:config, modifying the bootstrapAddress to 1.1.1.1 and the mode to 3 will lock in Cloudflare; no System fall back.

If you want to remove Mozilla from the process, modify the uri to Cloudflare’s default.

Boosting the request-timeout was a recommended practice in the early days of the Firefox DoH feature. 1500 is probably OK and now that I’ve noticed/remembered I did that, I’ll be rolling it back to 1500.

Cheers.

GlasswireDoHdns2.jpg686×849 211 KB

It’s an experimental way of providing DNS resolution via HTTPS.

It provides the advantage of not being vulnerable to Man-in-the-middle attacks (due to the TLS encryption in HTTPS), preventing DNS spoofing.

Experimental? Not anymore.

Having been available to the mainstream user via about:config since March, 2018 (about 50 CyberYears), the experiment is over. Cloudflare’s DoH (and the usual port 53 UDP and DoT), deployed in 150+ cities worldwide with access to 7M+ domain names, is rapid and stable. And, no, I don’t work for them. Others are getting on board but still have some work to do. I might start using Cloud9 eventually. Google “dns over https server list” for more info.

DoH itself is so good that the UK government and various British advocacy groups have cause for concern that the parliamentary monarchy’s subjects might have too much privacy. And, ironically, not enough protection from the Internet’s heinous underbelly.

Note that “Currently, DoH is not supported in the stable version of…Firefox,” is in error. Should read, “not supported without UDP port 53 fallback.”

Interesting how that got published on the Fourth of July.

Cheers.

I have been using DNS over https with Firefox and I have yet to have an issue with the websites I visit. It seems to work great! Thanks Firefox Team!!!

As I’ve mentioned before, DNS over HTTPS is not the most ideal. Always opt for DNS over TLS.

Case in point:

@Tarun

Very interesting. I searched around online and I could not find how to set up DNS over TLS with Firefox. Are you using Firefox or what browser and how is DNS over TLS set up for you?

I then did some more searching and found this link where you can test your DNS over https setup.

Mine is all green and I see they show “Encrypted SNI”. When I search for Firefox and SNI encryption I find this page https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/ that shows how to set that up.

The page says " A couple of weeks ago we announced support for the encrypted Server Name Indication (SNI) TLS extension (ESNI for short)."

So, I think this means I have https over TLS setup too, is that correct?

You can’t. Not yet anyway. Mozilla might add it to the mix. Or some one might build an extension. Ya never know…

One could configure a local proxy client available for Windows to use DoT lookups for all of Windows’ system internet connectivity but Firefox trr prefs would need to be default, that is, no DoH settings.

@Ken_GlassWire I set up DNS over TLS in my router, and I also use a custom firmware.

Interesting! I did not know that was even possible.

I look forward to this feature being available to everyone without so much customization required. It looks like my current router doesn’t support this yet.