DNS-over-HTTPS & GW NS Lookup

It’s an experimental way of providing DNS resolution via HTTPS.

It provides the advantage of not being vulnerable to Man-in-the-middle attacks (due to the TLS encryption in HTTPS), preventing DNS spoofing.

Experimental? Not anymore.

Having been available to the mainstream user via about:config since March, 2018 (about 50 CyberYears), the experiment is over. Cloudflare’s DoH (and the usual port 53 UDP and DoT), deployed in 150+ cities worldwide with access to 7M+ domain names, is rapid and stable. And, no, I don’t work for them. Others are getting on board but still have some work to do. I might start using Cloud9 eventually. Google “dns over https server list” for more info.

DoH itself is so good that the UK government and various British advocacy groups have cause for concern that the parliamentary monarchy’s subjects might have too much privacy. And, ironically, not enough protection from the Internet’s heinous underbelly.

Note that “Currently, DoH is not supported in the stable version of…Firefox,” is in error. Should read, “not supported without UDP port 53 fallback.”

Interesting how that got published on the Fourth of July.

Cheers.

I have been using DNS over https with Firefox and I have yet to have an issue with the websites I visit. It seems to work great! Thanks Firefox Team!!!

As I’ve mentioned before, DNS over HTTPS is not the most ideal. Always opt for DNS over TLS.

Case in point:

@Tarun

Very interesting. I searched around online and I could not find how to set up DNS over TLS with Firefox. Are you using Firefox or what browser and how is DNS over TLS set up for you?

I then did some more searching and found this link where you can test your DNS over https setup.

Mine is all green and I see they show “Encrypted SNI”. When I search for Firefox and SNI encryption I find this page https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/ that shows how to set that up.

The page says " A couple of weeks ago we announced support for the encrypted Server Name Indication (SNI) TLS extension (ESNI for short)."

So, I think this means I have https over TLS setup too, is that correct?

You can’t. Not yet anyway. Mozilla might add it to the mix. Or some one might build an extension. Ya never know…

One could configure a local proxy client available for Windows to use DoT lookups for all of Windows’ system internet connectivity but Firefox trr prefs would need to be default, that is, no DoH settings.

1 Like

@Ken_GlassWire I set up DNS over TLS in my router, and I also use a custom firmware.

1 Like

Interesting! I did not know that was even possible.

I look forward to this feature being available to everyone without so much customization required. It looks like my current router doesn’t support this yet.

What router do you have?

1 Like

@Tarun
I use Cloud Flare as a CDN and now I want to uninstall. I see many video but still the CDN is not properly delete what should I do?

@davidoyama this FAQ will help you in removing the CloudFlare CDN from your website/domain.

Okay fine, let me know what should I do, how I change my DNS to my original hosting.

@davidoyama I did, check the link to the FAQ.

If you’re not referencing a website, then simply remove the CloudFlare DNS from your router or computer. Typically, just deleting the DNS entries to being blank will reset them to the ISP provided DNS.

Our next update will allow you to have the ability to turn off nslookups. Here is a sneak preview below!

2 Likes

FYI - Up to date, concise and technical:

Primary focus is on enterprise admin but here’s a pull quote for the average home & mobile user:

If you are an end-user, with your own personal (non-employer-owned) machine, your main concerns should be about whether any alternative DNS resolver (beyond manually configured or DHCP provided) is enabled/configured. The main issue with this would be when you are using someone else’s network and whether you are violating their policies or expectations. This is particularly true when traveling to other countries when this small change might violate local laws. This may also be true in a BYOD (bring your own device) environment, where this could violate your employer’s policy, with potential employment-related consequences.

GOOGLE CHROME UPDATED INFO
As of v78, the executable run command line cited in the article is replaced by an internal flag:
chrome://flags/#dns-over-https

Cheers.

1 Like

In Firefox, if you turn on DoH via the GUI it should handle it in the config automatically. No need to go to about:config.

For what it’s worth, keep in mind that GoDaddy is also against a free and open Internet. SOPA, etc, they backed.

I mention this because:

A version of this post was originally published in the GoDaddy Engineering blog.

By Brian Dickson, Principal Software Development Engineer at GoDaddy

1 Like

Our update that allows you to turn off nslookups will be out next week.

GlassWire can now disable nslookups.

Version 2.1.166 - (September 17, 2019)

Hash # 2E394CA96D8AE6075879891365857A8FFF5E8AE14162DEA25CA39410C90F473D

Turn nslookup off in your GlassWire settings if you don’t want to see the domain names of the hosts you are connecting to.
Changes were made on how the Windows “System” and Windows Defender are handled with the firewall.
Graph screen optimizations to use even less resources when using GlassWire.
New help screens to help with technical issues.
Other bug fixes and enhancements.

1 Like

Hi Ken,
I always look forward to new versions and the changes. Myself and others might be interested to know what were the…
" Other bug fixes and enhancements".
Just a thought, and curious to know … Thank you Ken, and the Glasswire team.

@GlassWare

Sometimes people report little UI bugs and things. It’s nothing significant so that’s why we don’t mention it. If I listed them all it would just look ugly on the change list and be too much to read.
https://www.glasswire.com/changes/