DNS over HTTPS #1864
Comments
|
There is a flag to enable DoH on Bromite: https://github.com/bromite/bromite/blob/ac44ac738f31a336a00880bdb20a321f04f62c89/patches/BRM061_Add-a-flag-for-DNS-over-HTTPS.patch (note: GPLv3 licensed). |
|
Cloudflare also offers a Tor hidden service for their DoH resolver: https://blog.cloudflare.com/welcome-hidden-resolver/ |
|
I tested the latest Bromite patch in fmarier/brave-core@fab95d9 and noticed that the DoH stack in Chrome actually falls back to the OS-provided DNS server when the DoH server fails, which was confirmed by Do we want to ship this as-is or do we want to ensure that requests are only done via the DoH provider when a user configures it like that? /cc @diracdeltas |
|
IMO, in the worst case, if the DoH is doing what systemd DoT does, it still increases redundancy in the resolving method but it would still be better to know the situation: whether Chrome's DoH does the parallel lookup or not. |
|
Nice find @fmarier. Seem that it would be best to offer the user an option of whether they want to fallback to the system DNS (assuming it's falling back, not doing lookups in parallel). If it is doing lookups in parallel, we could clearly communicate it as opportunistic DOH in the UI so people are not surprised by the leaks. cc @tomlowenthal for thoughts |
|
IMO, the default we should be aiming for is DoH without any local resolver use. We should ensure that there are no local leaks. But there should be an easy switch to move to a local resolver instead. Opportunistic DoH feels like the worst of both worlds. |
|
Why DoH, not DoT? DoH is better? This is my general question about encrypted DNS service. |
|
There's a small minority of people for whom running Tor can be a hazardous proposition, so we're not planning to default to that. DoHoT makes sense when using private windows with Tor, though. |
|
So will Brave have DoH or DoT? If yes, which version? |
|
My plan is to implement DoH for general browsing, and DoHoT for private windows with Tor and other backend services if someone flips the "Use Tor for background connections." switch. But that's only a plan so far — we haven't started implementing and things can change based on the technical realities. |
I actually noticed this some time ago in the Chromium codebase and played around a bit trying to disable it or make it an option, without success; looks like somebody else upstream was aware too because there is now this patch available: https://chromium.googlesource.com/chromium/src/+/c7bed520a42ee26aa3be1da89aad737bb54c0fab Starting from Bromite
@fmarier no, from my interpretation of the retry loops (see All of this is thankfully no more relevant with the secure mode enabled by default. |
|
Thanks for the extra pointers @csagan5. Noting that the patch landed in chromium 74.0.3705.0. |
|
This is the tiny patch I wrote to enable secure mode by default (to be used after the upstream patch previously mentioned): It will be used in Bromite until there is either a |
|
This might be relevant too: https://www.chromium.org/administrators/policy-list-3#BuiltInDnsClientEnabled |
According to this Chromium blog post, support for Android and Linux is coming soon. |
|
@fmarier thanks :) |
This is needed because the Mac build machines use these OS
resolvers:
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 1.1.1.1
nameserver 1.0.0.1
…rs-1864 Whitelist DoH servers in the network auditor (brave/brave-browser#1864)
This is needed because the Mac build machines use these OS
resolvers:
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 1.1.1.1
nameserver 1.0.0.1
…rs-1864 Whitelist DoH servers in the network auditor (brave/brave-browser#1864)
Test plan
See brave/brave-core#4314
Description
DoH is gaining traction:
https://chromium.googlesource.com/chromium/src.git/+/786929ad1cfbc97962ff5672e2469460ff535f41
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
Consider enabling DoH for Brave.
The text was updated successfully, but these errors were encountered: