What's new

DoT vs. DoH

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Authority

Senior Member
I understand why RMerlin doens't like DoH as a network admin. I also understand why Google and Firefox use DoH, not because it's better, but simply because a browser can't use DoT.

What I didn't realize that DoT was lower latency, making me rethink using DoH. I wonder why NextDNS chose DoH for their CLI client?

This was very informative. https://www.dnsfilter.com/blog/dns-over-tls/
 
NextDNS chose DoH because of how they designed their infrastructure. Their infrastructure poorly favors DoT, while highly favoring DoH connections. (It is because of bias implementation).
 
I need some clarification, does the NextDNS Merlin client use DoH only or does it also use DoT?
 
NM, found my answer.

 
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
 
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp still knows what you are doing though.
 
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp is still knows what you are doing though.
I am thinking of installing it on a neighbors ac86u to solve the aforementioned isp dns issue. I already installed Merlin on it.
 
If you encrypt your SNI, you would be looking at different circumstances because it would become hard for the isp to know what is going on, but they have their ways still such as reverse lookups on the ip addresses of sites you visit.
 
Last edited:
Encrypted SNI is a fairly new technology that isn't really widespread yet.
 
Encrypted SNI is a fairly new technology that isn't really widespread yet.

Hasn’t Cloudflare been encrypting SNI since 2018?
An experimental implementation of using Firefox+Dnscrypt-proxy2 built in DoH server features uses ESNI which takes advantage of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
Instructions on setting it up are on their wiki as follows.
This is not a full encryption though since only limited sites support it (i.e. sites running on cloudflare servers.)
 
Hasn’t Cloudflare been encrypting SNI since 2018?

You need it supported at both ends, both the server and the browser. On the server side it's almost never supported because it's not supported yet by the most commonly used TLS stack (OpenSSL).

Client-wise, I believe Firefox is the only one that supports it, and again at a beta stage.

I believe the protocol is still at a draft stage.
 
as an unbound user, I'd like to know if the auth DNS servers it goes to when an URL isn't found in the cache are DoT capable. And how to verify that, or point my rDNS to those that are in preference to those that aren't; the setup at my DNS shouldn't be insurmountable, and it would be likely the best of both worlds - anything that goes out is encrypted, just as anything that comes in should be. (these security/privacy issues are fascinating)...I'm going to pop over to the unbound thread and ask the big brains there...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top