Help in DNS over HTTPS

Firmware: 18.06.5

So I installed https-dns-proxy & it's working flawless.
Except on Chrome & Firefox browsers Browsing Experience Security Check test shows:

Secure DNS ✓
DNSSEC ✓
TLS 1.3 ✓
Encrypted SNI ✗

Why Encrypted SNI test failed? & how to resolve it?

P.S. I followed DNS over HTTPS with Dnsmasq and https-dns-proxy documentation.

Ask your browser's vendor.

Works out the box in Firefox.

(I did not attempt to enable DNSSEC.)

I simply enabled it in the configs.

1 Like

First screenshot is for Firefox. I tried that before but it didn't work it still says the same.
Edit: Hold up. Lemme try few settings & I'll update the answer. Thanks for quick reply btw :smiley:

Well I tried & it still doesn't work. Does it have to do with DOH encryption I've been running on router?
Edit: Turns out on my phone, I pass all four tests. That means the issue must have to do with Windows & desktop browsers.

No clue, just enable DoH in Firefox if you want to see a pretty green check box during testing.

I'd upgrade Firefox if you're enabling ESNI and it doesn't work.

The whole system is updated. But it's working perfectly on my phone. Tried different DOH
in network.trr.uri (Google & Quad9) still didn't work. I'll find a problem later & post it here.

There is a hard limit on firefox side. It won't try ESNI until you set DoH on firefox itself.

1 Like

That make sense, given the browser assumes the DNS server is not doing DoH (and thinks it's leaking). Perhaps you should report it as a "bug" in the website's programming to Mozilla?

What does this have to do with OpenWrt?

This is the design.

I did enable DOH in Firefox, Chrome but they ain't working. I tried the same on phone & it did work. So it must have to do with my desktop or Firefox browser itself.

set network.trr.mode to 3 in firefox about:config. what happens?

network.trr.mode=0,1,3,5

Secure DNS ✓
DNSSEC ✓
TLS 1.3 ✓
Encrypted SNI ✗

For network.trr.mode=4 no connection.

Hmm. We’re having trouble finding that site.

For network.trr.mode=2 Everything crumbles. Test buttons don't work.

well you'd better visit firefox forum as ESNI is not a openwrt function, but browser's.

2 Likes

True. I'll take this issue there. Was wondering if it has to do with https_dns_proxy module.

1 Like