Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Native Linux support for DoH (DNS over HTTPS)

  1. #1
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    721

    Default Native Linux support for DoH (DNS over HTTPS)

    Yesterday I had the pleasure of looking deeper into the upcoming DNS over HTTPS (or DoH). It will ensure that just like your traffic, the websites you visit can't be monitored nor easily censored by your ISP or any intermediary. It's a long overdue idea which I'm glad to hear is finally happening.

    I wanted to know when the Linux networking system is going to implement native support for the technology as well. In many cases this might not be of great importance, as the home router typically handles those things whereas DoH will be implemented in web browsers directly. But it would still be interesting to know when we can expect it as a builtin feature that can be used system wide... so for instance, system commands like "curl" or "zypper dup" can also benefit from them.
    openSUSE Tumbleweed x64, KDE Framework 5

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,130
    Blog Entries
    2

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    People should first know that "Secure DNS" has been around for a fair amount of time (many years) but has been implemented only between DNS Servers, and hardly or never between a DNS server and a client machine.


    For the last couple years only, there have been some solutions that close the remaining link between DNS Server and client machine (practically any device that isn't a DNS Server).


    There was a recent Forum thread about configuring Firefox to support encrypted DNS using a browser extension,

    But IMO this isn't a complete solution since any DNS lookups by the Web browser will benefit only the web browser.

    I have been running dnscrypt-proxy for a couple years now, I might have been one of the earliest Users of this app which encrypts <all> DNS queries, not just those from a web browser. It works by running a tiny DNS proxy server on your machine which knows how to use a special encrypted protocol to connect to special DNS servers which also support that protocol. You point your system name resolver (typically /etc/resolv.conf) to localhost and then every time anything makes a DNS query, it's directed through your dnscrypt proxy, then using the special encrypted protocol submits to a DNS server.

    The DNScrypt project (broadly and links to various solutions)
    https://dnscrypt.info/

    dnscrypt-proxy (supports practically any OS)
    https://github.com/jedisct1/dnscrypt-proxy

    dnscrypt-proxy RPM (Didn't exist when I installed)
    https://software.opensuse.org/search...ALL&q=dnscrypt

    I've found dnscrypt-proxy very reliable, almost problem-free.
    Never had a real problem with it, but once in a very long while sometimes I might find for unknown reasons the resolver doesn't point to localhost (The DHCP client instead points to a default DNS) or the proxy might be stopped... But any problem is very rare, requires figuring out what the problem is and simply re-configuring or starting the service.
    And, have not had any problem moving between a multitude of access points, and using commercial VPNs.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    <insert ISP, company or government here is evil> but Cloudflare is one hundred percent trustworthy and you can just let them have all your information. /s
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  4. #4
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    721

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Quote Originally Posted by Miuku View Post
    <insert ISP, company or government here is evil> but Cloudflare is one hundred percent trustworthy and you can just let them have all your information. /s
    Firstly, Mozilla and Cloudflare are the opposite of Google and Facebook; While companies like them use tech for profit and to do every evil thing possible, those are open-source community-oriented groups working to help users.

    I was still upset when I heard that the Firefox implementation would rely on Cloudflare... for now: The system will soon become customizable, so that you can set any DoH provider you desire. It's easy to host one yourself from what I understand.
    openSUSE Tumbleweed x64, KDE Framework 5

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,130
    Blog Entries
    2

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Whatever one may think of Cloudflare,

    Last year it published a series of articles (6 ?) that fairly comprehensively (AFAICT) all together proposed a vastly more secure open Internet than what we have today. IIRC at least 2, maybe 3 of their proposed initiatives required a Server-side implementation and Cloudflare was already providing services for those at no cost to anyone using.

    I don't know that anyone else has proposed a similar comprehensive plan that would comprehensively affect Internet security based on proposed open standards, so kudos.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Quote Originally Posted by MirceaKitsune View Post
    Firstly
    Firstly, they are an American company governed by American laws and in case of national interests, they will be gagged and their data confiscated or bugged should agencies deem important to do so and there's absolutely jack you can do about it and you'll never even know they've done it.

    Secondly, the only thing that proves they are not collecting vasts amounts of data is because they tell you they aren't. Much like Zucker told you they aren't selling it to 3rd parties and Google does no evil. We all know how those turned out.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  7. #7
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    721

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Quote Originally Posted by Miuku View Post
    Firstly, they are an American company governed by American laws and in case of national interests, they will be gagged and their data confiscated or bugged should agencies deem important to do so and there's absolutely jack you can do about it and you'll never even know they've done it.

    Secondly, the only thing that proves they are not collecting vasts amounts of data is because they tell you they aren't. Much like Zucker told you they aren't selling it to 3rd parties and Google does no evil. We all know how those turned out.
    I only read about this vaguely, but from what I hear Cloudflare is only going to generate a temporary browsing list. Meaning they hold your history for only 24 hours to do caching, and also rotate the keys every 1 hour for security.

    Obviously, if they want, they can secretly store your history elsewhere. So far there is no law compelling them to do so, and if they sold it to advertisers word would inevitably come out eventually.

    But like I said the system is customizable, so people will be able to use any DNS / DoH provider they want. That's the important part: Cloudflare will only be a customizable default.
    openSUSE Tumbleweed x64, KDE Framework 5

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,130
    Blog Entries
    2

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Use dnscrypt-proxy instead of any browser implementation.
    Can be configured to point to any server you wish, and dnscript-proxy also provides a list of recommended resolvers (DNS servers) you can choose from... I suppose if you're ultra paranoid and don't want to trust any server at its word, you can rotate through a list of targets.

    https://dnscrypt.info/public-servers/

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9
    Join Date
    Jan 2009
    Location
    Romania, Bucharest
    Posts
    721

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    Quote Originally Posted by tsu2 View Post
    Use dnscrypt-proxy instead of any browser implementation.
    Can be configured to point to any server you wish, and dnscript-proxy also provides a list of recommended resolvers (DNS servers) you can choose from... I suppose if you're ultra paranoid and don't want to trust any server at its word, you can rotate through a list of targets.

    https://dnscrypt.info/public-servers/

    TSU
    So dnscrypt-proxy is the official implementation for this system under Linux? Will install it and possibly give it a try later. Thanks!
    openSUSE Tumbleweed x64, KDE Framework 5

  10. #10
    Join Date
    Oct 2011
    Location
    Germany (Ore Mountains)
    Posts
    427

    Default Re: Native Linux support for DoH (DNS over HTTPS)

    There is also the competing DNS-over-TLS. I'm currently running a combination of stubby and dnsmasq on my Raspi, that works as a validating DNS resolver + cache for my tiny local network.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •