DoT vs. DoH

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Authority

Senior Member
I understand why RMerlin doens't like DoH as a network admin. I also understand why Google and Firefox use DoH, not because it's better, but simply because a browser can't use DoT.

What I didn't realize that DoT was lower latency, making me rethink using DoH. I wonder why NextDNS chose DoH for their CLI client?

This was very informative. https://www.dnsfilter.com/blog/dns-over-tls/
 

SomeWhereOverTheRainBow

Very Senior Member
NextDNS chose DoH because of how they designed their infrastructure. Their infrastructure poorly favors DoT, while highly favoring DoH connections. (It is because of bias implementation).
 

Smokey613

Senior Member
I need some clarification, does the NextDNS Merlin client use DoH only or does it also use DoT?
 

Smokey613

Senior Member
NM, found my answer.

 

Smokey613

Senior Member
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
 

SomeWhereOverTheRainBow

Very Senior Member
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp still knows what you are doing though.
 

Smokey613

Senior Member
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp is still knows what you are doing though.
I am thinking of installing it on a neighbors ac86u to solve the aforementioned isp dns issue. I already installed Merlin on it.
 

SomeWhereOverTheRainBow

Very Senior Member
If you encrypt your SNI, you would be looking at different circumstances because it would become hard for the isp to know what is going on, but they have their ways still such as reverse lookups on the ip addresses of sites you visit.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Encrypted SNI is a fairly new technology that isn't really widespread yet.
 

SomeWhereOverTheRainBow

Very Senior Member
Encrypted SNI is a fairly new technology that isn't really widespread yet.
Hasn’t Cloudflare been encrypting SNI since 2018?
An experimental implementation of using Firefox+Dnscrypt-proxy2 built in DoH server features uses ESNI which takes advantage of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
Instructions on setting it up are on their wiki as follows.
This is not a full encryption though since only limited sites support it (i.e. sites running on cloudflare servers.)
 

RMerlin

Asuswrt-Merlin dev
Hasn’t Cloudflare been encrypting SNI since 2018?
You need it supported at both ends, both the server and the browser. On the server side it's almost never supported because it's not supported yet by the most commonly used TLS stack (OpenSSL).

Client-wise, I believe Firefox is the only one that supports it, and again at a beta stage.

I believe the protocol is still at a draft stage.
 

heysoundude

Very Senior Member
as an unbound user, I'd like to know if the auth DNS servers it goes to when an URL isn't found in the cache are DoT capable. And how to verify that, or point my rDNS to those that are in preference to those that aren't; the setup at my DNS shouldn't be insurmountable, and it would be likely the best of both worlds - anything that goes out is encrypted, just as anything that comes in should be. (these security/privacy issues are fascinating)...I'm going to pop over to the unbound thread and ask the big brains there...
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top