this post was submitted on 05 Oct 2023
300 points (98.4% liked)
Firefox
17910 readers
226 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It does not. ECH will work without DOH, but anybody listening can just see what site you’re querying from DNS instead of listening to SNI. Combining them is the most private.
Edit: This is wrong, in the sense that Mozilla has chosen to link the ECH setting with your DNS setting, even though they are separate. If you are using a local resolver, even if it is in turn using DoH or DNSCrypt upstream, Firefox won't use ECH and will instead leak SNI information to your ISP. This is disappointing behavior that from another company would seem designed to coax you into a certain direction.
Not necessarily. You could use something like DNSCrypt locally as a resolver which is more private than DoH and this weird combination of the opt-out will hurt you in this case.
How so? I’m using unbound locally for recursive DNS, but I’ll checkout what DNSCrypt adds since it seems like local encrypted DNS to the recursive servers.
Wouldn’t ECH still work with this setup and this setup be more secure since you’re not handing off your DNS requests to some other company?
It would work, except Firefox is configured to not use ECH if it is not using DoH. I updated my original reply after testing it out. Hopefully they update this behavior in the future, it is very user-hostile right now.
Basically DNSCrypt is designed to hide your IP from the DNS server and your DNS query from your ISP. Basically it relays your DNS query via one server which knows your IP but only sees and encrypted version of your query and response and one server which knows your query but not your IP. Obviously you want both servers to be run by two different organizations.