Chris Hall bio photo

Chris Hall

Principal Technical Consultant

PolarCloudsUK Chris LinkedIn Github
Chris Hall Nutanix Certified Master - Multicloud Infrastructure 6 Chris Hall VMware vExpert 2024 Chris Hall VMware vExpert NSX 2023 Chris Hall Nutanix Certified Professional - Multicloud Infrastructure 6 Chris Hall Nutanix Certified Professional - Unified Storage 6 Chris Hall VMware vExpert 2023 Chris Hall VMware vExpert 2022

Why I was For, Against, then For Browser DNS over HTTPS

DoH Nut Last time we looked at enabling Pi-hole to keep internet bourne garbage (adverts, ransomware, crypo-miners, internet tracking, malware, etc) off of all devices connected to our network. As a privacy bonus we also enabled DNS over HTTPS (DoH) for internet bound DNS traffic from/to our network.

Check out Pi-hole plus DNS over HTTPS for the full how to.

Since then, DoH has exploded. For example:

  • Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month - The Register
  • Google experiments with DNS-over-HTTPS in Chrome - Naked Security
  • Experimenting with same-provider DNS-over-HTTPS upgrade - Chromium Blog
  • Rolling in DoH: Chrome 78 to experiment with DNS-over-HTTPS – hot on the heels of Firefox - The Register
  • Firefox DNS-over-HTTPS - Mozilla Support

Plus many others

For

My first reactions were:
Excellent!
More privacy for all!
Brilliant!
:thumbsup: :sunglasses: :thumbsup: Happy days!

Against

I then thought some more…
My browser is now using it’s own DNS server… separate to my internet garbage blocking Pi-hole DNS server (or any DNS based blocking service)…
That means all previously blocked internet garbage will return!

:thumbsdown: :cold_sweat: :thumbsdown: Oh “balls”, that’s not good!

For …Again!

After a little bit more reading, it appears that this concern was shared by others too.

Luckily Mozilla are ahead of the game. Essentially, their idea is to build into Firefox a check where by the browser will query DNS for a certain “canary” domain. The result returned from DNS will govern whether the browser switches to from standard (non-DoH) DNS to DoH or not.

The logic is as follows. First the browser makes the query to standard (non https) DNS for use-application-dns.net. Standard DNS will then return one of the following:

Standard DNS Return Browser Action
A or AAAA records Enable DNS over HTTPS Functionality
(valid IP addresses) (bypassing standard DNS)
NXDOMAIN or SERVFAIL Disable DNS over HTTPS Functionality
(unable to find valid IP addresses) (continue to use standard DNS)
   

Therefore to continue using Pi-hole to block internet garbage, pi-hole must return NXDOMAIN or SERVFAIL when queried for use-application-dns.net.

What’s more is that those top, top Pi-hole developers have already merged a fix to make this happen. Further discussion on this change is available on a pi-hole discourse thread.

Google’s suggested implementation is way more complex. I confess to not reading the whole document (it’s 22 pages long!), however the issue is being thought about at least. As with all suggestions, Google’s implementation may change in the future…

Microsoft Edge supporting DoH? The silence is deafening :no_mouth:

Fun times!

-Chris