Is it worth installing DNS-over-HTTPS now you can do it with Firefox?
Does openwrt send all connections to DOH or browser only requests , If that made any sense?
If you enable it in Firefox ONLY Firefox will send its DNS requests via DNS-over-HTTPS. Everything else (other applications / other devices / the operating system, ...) will still use plain DNS.
If you configure your OpenWRT router to do DNS-over-HTTPS or DNS-over-TLS ALL applications / devices in your network using your router as DNS server (unless they have hardcoded DNS settings) will send their DNS requests via DNS-over-HTTPS or DNS-over-TLS.
So if you want to do it properly, do it on your router.
I personally tested DNS-over-TLS with dnsmasq + stubby via Cloudflare for a while. It worked well and is not hard to configure.
5 Likes
Thanks hbr , you say you tested it for awhile are you now using something different or did you go back to standard DNS as i have seen some complaints previously on reddit that DOH latency can be a problem?
Thanks
Currently there are some issues with my ISP and IPv6 not working. So I reset my router a while ago and did not configure DNS-over-TLS again to make troubleshooting easier.
Latency with DNS-over-HTTPS or DNS-over-TLS is higher than with just plain DNS, especially on the first look up. But after names are cached there is no difference anymore so it didn't bother me that much.
My ISP has also gotten new DNS servers (which do not suck anymore) so I might not bother setting up DNS-over-TLS again, because the gain in terms of privacy is not that big (the DNS provider you are using can still see all your DNS queries, just not your ISP or other third parties).
Security wise it does help with DNS related attacks tho.
I also would prefer if support for DNS-over-HTTPS or DNS-over-TLS would be in the operating systems / routers by default instead of having to add it via third party software.
dnsmasq + stubby works well on OpenWRT but you can still mess up your configuration and spotting issues is a bit harder.
If you want to try DNS encryption I'd suggest starting with DNS-over-TLS (dnsmasq + stubby). All you need is the stubby package for OpenWRT.
The page on github has all the neccessary instructions:
1 Like
Thanks hbr for the explanation and the link , i must admit i did wonder myself if it's worth it as you're just moving the requests from one place to another , I live in the UK so it's not like the China internet wall.
I was reading about setting up https for luci and got sidetracked with DOH. 
Just depends on if you think that your ISP monitors your traffic and DNS requests and sells it to marketing firms and you find that objectionable. Just tracking your DNS traffic is "trivial" and provides a huge amount of commercially valuable insight. I would be very, very surprised if Comcast here (CATV provider) doesn't do just that.
I didn't realize there was so many public servers , is Cloudflare considered the best in the list above?
Tons of them -- see https://dnsprivacy.org/ for a relatively current and comprehensive list.
"Best" is relative to your own balance between what is important to you, be it tinfoil hat, speed, robustness, of that you just don't like the person behind the company.
1 Like
I'm surprised that someone with scripting skills hasn't written something that hops around the different servers on each DOH request to reduce the footprint of profiling for corporate marketing.
Though how it would deal with slow intermittent or dead servers i'm unsure...
https_dns_proxy can run multiple instances and dnsmasq can query multiple sources if you really need it.
Although I do not see the point because the use case of DoH is limited and the responses from different DoH providers may not be the same due to different policies, so it may be less reliable.
1 Like
some (probably most) of the recursor apps feature build-in round-robin routines and do not require extra scripting for that purpose. But those apps might not support DoH but DoT and there are plenty public DNS servers providing DoT.
Whether to utilize DoH or DoT or DNScrypt is probably a user (case) preference.
1 Like
I've come to the conclusion that if cloudflare is good enough for the firefox default server then it will be good enough for me as they must have done some testing.
In terms of worries about queries from citizens of EU countries being
sent to servers that are subject to US jurisdiction: we don't have
immediate plans to implement DNS-over-HTTPS (DoH) in Firefox outside of
North America.
My bad , i didn't mean for that to sound like i was sticking with FireFox.
I meant if cloudflare is good enough for Firefox then it will be good enough for me on openwrt.
It was not meant to discourage or dispute your decision of course, merely highlighting one aspect of DoH with CF. Another one being monopolising DNS services, as outlined in the entire mailing list thread.
Coupled with CF's edge reverse proxy server terminating TLS connectivity (decrypting content) prior reconnecting to the domain hoster some might be concerned about putting eggs into one basket that is subjected to the legislative where the basket is incorporated.
Certainly bears down to each user's preference(s)/consideration(s)/criteria.
3 Likes
Thanks @anon45274024
Think i'll leave it until i understand it all a bit better and dome some reading.
1 Like