Help in DNS over HTTPS

AlanDias17 · November 27, 2019, 2:45pm

Firmware: 18.06.5

So I installed https-dns-proxy & it's working flawless.
Except on Chrome & Firefox browsers Browsing Experience Security Check test shows:

Secure DNS ✓
DNSSEC ✓
TLS 1.3 ✓
Encrypted SNI ✗

Why Encrypted SNI test failed? & how to resolve it?

P.S. I followed DNS over HTTPS with Dnsmasq and https-dns-proxy documentation.

lleachii · November 27, 2019, 3:36pm

Ask your browser's vendor.

Screenshot%20from%202019-11-27%2010-34-32

Works out the box in Firefox.

(I did not attempt to enable DNSSEC.)

I simply enabled it in the configs.

AlanDias17 · November 27, 2019, 3:41pm

First screenshot is for Firefox. I tried that before but it didn't work it still says the same.
Edit: Hold up. Lemme try few settings & I'll update the answer. Thanks for quick reply btw

AlanDias17 · November 27, 2019, 6:55pm

Well I tried & it still doesn't work. Does it have to do with DOH encryption I've been running on router?
Edit: Turns out on my phone, I pass all four tests. That means the issue must have to do with Windows & desktop browsers.

lleachii · November 27, 2019, 8:04pm

No clue, just enable DoH in Firefox if you want to see a pretty green check box during testing.

I'd upgrade Firefox if you're enabling ESNI and it doesn't work.

AlanDias17 · November 27, 2019, 8:21pm

The whole system is updated. But it's working perfectly on my phone. Tried different DOH
in network.trr.uri (Google & Quad9) still didn't work. I'll find a problem later & post it here.

orangepizza · November 28, 2019, 3:14am

There is a hard limit on firefox side. It won't try ESNI until you set DoH on firefox itself.

lleachii · November 28, 2019, 3:49am

That make sense, given the browser assumes the DNS server is not doing DoH (and thinks it's leaking). Perhaps you should report it as a "bug" in the website's programming to Mozilla?

What does this have to do with OpenWrt?

This is the design.

AlanDias17 · November 28, 2019, 2:09pm

I did enable DOH in Firefox, Chrome but they ain't working. I tried the same on phone & it did work. So it must have to do with my desktop or Firefox browser itself.

orangepizza · November 28, 2019, 3:25pm

set network.trr.mode to 3 in firefox about:config. what happens?

AlanDias17 · November 28, 2019, 3:38pm

network.trr.mode=0,1,3,5

Secure DNS ✓
DNSSEC ✓
TLS 1.3 ✓
Encrypted SNI ✗

For network.trr.mode=4 no connection.

Hmm. We’re having trouble finding that site.

For network.trr.mode=2 Everything crumbles. Test buttons don't work.

orangepizza · November 28, 2019, 3:47pm

well you'd better visit firefox forum as ESNI is not a openwrt function, but browser's.

AlanDias17 · November 28, 2019, 3:51pm

True. I'll take this issue there. Was wondering if it has to do with https_dns_proxy module.