DNS-over-HTTPS & GW NS Lookup

I’ve been using Firefox’s DNS-over-HTTPS (DoH) for almost a year. Search firefox doh in an engine of your choice.

It’s been so reliable, months ago I enabled mode 3 and bootstrapped the IP address to disable fallback to system DNS.

In this quick & dirty screen shot while opening a popular news aggravator, 1.1.1.1 (Cloudflare) is opened upon first connection out and persists throughout the session for secure NS lookups. Secure insofar as trust in Cloudflare and Mozilla is concerned. Other DoH servers exist and can be used by Firefox.

GlasswireDoHdns

Note the port 53 connections to 9.9.9.9 and 148.112.112.112, my system TCP settings for Quad9. (These, of course, would be different for everyone else using other DNS servers or ones configured via ISP DHCP or router settings.)

GW does these port 53 lookups thereby upsetting DoH’s core mission of NS lookup privacy while browsing teh webbuhnetz. These lookups do not compromise DoH’s browser protection against the legion of DNS exploits.

Consequently, disabling GW’s NS lookup would upset the display and logging of valuable network detail.

Given the infancy of secure DNS, overdue by 20 or so years, there is no faulting GW or any other utility in this regard. As well, everything else on the system (RSS, email clients, et al) does the insecure port 53 boogie.

But in looking ahead, GW might consider implementing user configured DoH functionality, optionally. Easier said than done, of course. I wonder if the folks over at The Qt Project have it under consideration, waiting on Linux and Windows to write it into their kernels where application enabled DoH would no longer be essential.

IMHO, DoH will win out over DoT (DNS over TLS).

1 Like

Unfortunately that will not be the case. DoH has more overhead and other issues as opposed to DNS over TLS. DoT is also an IETF standard, and DoH was just recently adopted.

This is a great read to learn more about the differences and why DoT is preferable overall.

Other great reads:

Be sure to test the following:

1 Like

Very interesting information! Thanks for sharing these details on dns over https.

For anyone reading this who does not know already, it is possible to disable nslookups completely with GlassWire.

How to disable nslookups with GlassWire
First create a “glasswire.conf” file with your Notepad application.
Inside the GlassWire.conf text file created by Notepad please insert this text:
hostname_enable_nslookup = false
Please move the .conf file to C:\programdata\GlassWire\service
Reboot your PC.

But of course it’s very useful to see nslookups in GlassWire, so as nslookups become more secure we will be sure to use best practices in the future.

With such prescience, you should start buying lottery tickets. :smiley:

DoH and DoT both provide security above and beyond DNS which, as we know, has none.

DoT uses port 853. DoH, 443, used by the vast, unwashed masses. Gazillions of packets every millisecond. Overhead is irrelevant. As it always has, the Web will adapt if necessary.

Forensic tools can be utilized for expert analysis of port 443 traffic, of course. But everyone knows what’s going on with 853 and who is trying to hide what, anyway?

That reddit soapbox thread… all of Woodcock’s “ugly hack” arguments against DoH are exactly the ones in its favor, pull quotes: camouflage DNS queries as web queries, get them past redirecting proxies, provides the same full-stream encryption as DNS-over-TLS, a non-DNS-specific port (duh, 443).

As well, the discussion is already a year old. At about the same time, Mozilla and Cloudflare embraced DoH and made it accessible to those who care to follow simple instructions to edit about:config. Soon to be in the Privacy & Security UI, I hope. It’s stability and efficacy has, over this time, become demonstrable.

The IETF’s RFC mission can’t be dismissed, but it’s interest has largely become which working group’s presentation will get the next research prize.

Thanks for the test links. I’ve had them bookmarked for a long time. Hopefully they’ll evoke an interest by the general readership here. Here’s another:

ESNI??

For me, end of discussion. Cheers.

Hmmmm. I already have a glasswire.conf file with:

db_file_path=C:\ProgramData\Glasswire\service\glasswire.db
geoip_db_path=C:\ProgramData\Glasswire\service\GeoLite2.mmdb
storage_path=C:\ProgramData\Glasswire\service\storage.db
hostname_storage_time=21600
hostname_enable_nslookup=true
enable_database_check=false

It’s stamped 6/3/2019 and I know fore sure I didn’t create or edit it, then or any time else.

Your instruction to create a glasswire.conf file and move it to that path would evoke an exists-replace yes/no response.

enable_database_check=false relates to “Enable manual file analysis by VirusTotal,” which I have unchecked. Correct? If not, what?

My memory fails me and I might be thinking of something else, but wan’t there once a setting to enable/disable NS lookups in GW’s UI?

Well, my point was to get DoH into GW settings STAT in a hint-hint nudge-nudge sort of way. Wouldn’t that be a horn to toot on your Features page?

Thanks!

@dallas7

We are working on an update with host lookup changes. It will be part of our major backend update that will be coming in the fall.

Did you ever contact us for support and we asked you to make logs? If so you may have a conf file from that.

You can just add that text to your conf file and it should make the change.
“hostname_enable_nslookup = false”

I’m glad to see that DoH has also been added to IETF recently. Hopefully fingerprinting will also be something added soon. At least Firefox now has DoH added into the General > Network settings.

Here’s another good check: https://panopticlick.eff.org/

Trying to “camouflage” DNS has no real point. There’s no point because your ISP will still get it regardless.

The real benefit is making sure it’s not tampered with. It really doesn’t need to be handled over HTTPS, as there’s already a separate, dedicated port (like a lane of traffic) for it that as I mentioned, will allow reduction in overhead and latency. So you can either have HTTPS traffic and the DoH - DNS traffic in with DNS (like they’re trying to share the same lane of traffic) which causes the latency and overhead (a traffic jam) as I mentioned. Or you can have HTTPS traffic and and DoT traffic in their own respectable lanes. Secure. Safe. Faster.

It’s good that people are embracing DoH because at least there will be some layer of security as opposed to none at all, preventing tampering or injecting like what some ISPs love to do.

Also, are you aware of your tone when you’re posting?