Yesterday I had the pleasure of looking deeper into the upcoming DNS over HTTPS (or DoH). It will ensure that just like your traffic, the websites you visit can’t be monitored nor easily censored by your ISP or any intermediary. It’s a long overdue idea which I’m glad to hear is finally happening.
I wanted to know when the Linux networking system is going to implement native support for the technology as well. In many cases this might not be of great importance, as the home router typically handles those things whereas DoH will be implemented in web browsers directly. But it would still be interesting to know when we can expect it as a builtin feature that can be used system wide… so for instance, system commands like “curl” or “zypper dup” can also benefit from them.
People should first know that “Secure DNS” has been around for a fair amount of time (many years) but has been implemented only between DNS Servers, and hardly or never between a DNS server and a client machine.
For the last couple years only, there have been some solutions that close the remaining link between DNS Server and client machine (practically any device that isn’t a DNS Server).
There was a recent Forum thread about configuring Firefox to support encrypted DNS using a browser extension,
But IMO this isn’t a complete solution since any DNS lookups by the Web browser will benefit only the web browser.
I have been running dnscrypt-proxy for a couple years now, I might have been one of the earliest Users of this app which encrypts <all> DNS queries, not just those from a web browser. It works by running a tiny DNS proxy server on your machine which knows how to use a special encrypted protocol to connect to special DNS servers which also support that protocol. You point your system name resolver (typically /etc/resolv.conf) to localhost and then every time anything makes a DNS query, it’s directed through your dnscrypt proxy, then using the special encrypted protocol submits to a DNS server.
I’ve found dnscrypt-proxy very reliable, almost problem-free.
Never had a real problem with it, but once in a very long while sometimes I might find for unknown reasons the resolver doesn’t point to localhost (The DHCP client instead points to a default DNS) or the proxy might be stopped… But any problem is very rare, requires figuring out what the problem is and simply re-configuring or starting the service.
And, have not had any problem moving between a multitude of access points, and using commercial VPNs.
<insert ISP, company or government here is evil> but Cloudflare is one hundred percent trustworthy and you can just let them have all your information. /s
Firstly, Mozilla and Cloudflare are the opposite of Google and Facebook; While companies like them use tech for profit and to do every evil thing possible, those are open-source community-oriented groups working to help users.
I was still upset when I heard that the Firefox implementation would rely on Cloudflare… for now: The system will soon become customizable, so that you can set any DoH provider you desire. It’s easy to host one yourself from what I understand.
Last year it published a series of articles (6 ?) that fairly comprehensively (AFAICT) all together proposed a vastly more secure open Internet than what we have today. IIRC at least 2, maybe 3 of their proposed initiatives required a Server-side implementation and Cloudflare was already providing services for those at no cost to anyone using.
I don’t know that anyone else has proposed a similar comprehensive plan that would comprehensively affect Internet security based on proposed open standards, so kudos.
Firstly, they are an American company governed by American laws and in case of national interests, they will be gagged and their data confiscated or bugged should agencies deem important to do so and there’s absolutely jack you can do about it and you’ll never even know they’ve done it.
Secondly, the only thing that proves they are not collecting vasts amounts of data is because they tell you they aren’t. Much like Zucker told you they aren’t selling it to 3rd parties and Google does no evil. We all know how those turned out.
I only read about this vaguely, but from what I hear Cloudflare is only going to generate a temporary browsing list. Meaning they hold your history for only 24 hours to do caching, and also rotate the keys every 1 hour for security.
Obviously, if they want, they can secretly store your history elsewhere. So far there is no law compelling them to do so, and if they sold it to advertisers word would inevitably come out eventually.
But like I said the system is customizable, so people will be able to use any DNS / DoH provider they want. That’s the important part: Cloudflare will only be a customizable default.
Use dnscrypt-proxy instead of any browser implementation.
Can be configured to point to any server you wish, and dnscript-proxy also provides a list of recommended resolvers (DNS servers) you can choose from… I suppose if you’re ultra paranoid and don’t want to trust any server at its word, you can rotate through a list of targets.
There is also the competing DNS-over-TLS. I’m currently running a combination of stubby and dnsmasq on my Raspi, that works as a validating DNS resolver + cache for my tiny local network.
I think I heard about that briefly, but I can’t find “dns-over-tls” or “dns-over-https” on https://software.opensuse.org - Is it available anywhere in the system packages?
Can’t find it either.
There might be a license issue: getdns/LICENSE at develop · getdnsapi/getdns · GitHub
This does not look like any standard open source license to me, even though it seems to allow at least redistribution. But I’m no expert in that field.
In the meantime I found an “experimental” package “stubby” in the “server:dns” repository.
The package search on the download site doesn’t show it on the first attempt.
It can be considered today the defacto choice for people running any OS… there are versions and support for not just Linux, but also BSD, MSWindows, MacOS, Android… maybe more.
And, take a look at your choice of DNS Servers, some will also provide some anti-malware and anti-advertising although I wouldn’t rely on just DNS to manage those types of malware but it’s nice to have that extra line of defense.