A lot of people are curious and worried about Mozilla and Cloudflare's new toy, DNS-over-HTTPS. But how bad is it? :blobcatthinking: blog.xerz.one/how-to-doh/

Β· Web Β· 3 Β· 4 Β· 9

Yes, this is my actual first blog post in more than a year, and my first computing blog post since forever! Please give me all of the constructive feedback you can, I'll be very thankful! :blobpray:

Oops, right, last night I realized I need to amend the DoH article :blobderpy:

For full privacy you need a static IP address for the DoH provider *and* set network.trr.mode to 3 (otherwise, it will do fallback, which not only leaks your traffic again, but it will likely not take advantage of things like DNSSEC... and if you don't use a static IP, it WILL fallback)

That said, I think I'm going to enable Cloudflare via (because @applied_privacy didn't set their SSL certificate with a static IP), which while may leak to OπŸ…±οΈama still hides my traffic from everyone else, and then I could setup my own DoH server

Apparently DNSCrypt is set by default with Cloudflare via

huh that's neat


but why

(mind you, I'm using dnscrypt-proxy instead of Firefox settings)

Made a few updates to the DNS-over-HTTPS article! Still where it used to be! blog.xerz.one/how-to-doh/

@rick_777 Anything you think I messed up with or was too boring? Reasons why you may think you wouldn't share it to others? :blobcatthinking:

Hmmm.... :blobcatthinking:

I think it lacks a lot of structure; it was somewhat hard to follow, like a plate of spaghetti. The narrative and technical parts were mixed, which made it hard for me to make sense of it. This adds unnecessary complexity to your article and instead of helping the reader you confuse them. The good news is that with a couple of hours of rewriting you can turn it into something much better and easily digestible.
@espectalll - 1/4

Start simple: one or two paragraphs explaining the gist of your article - what, why, how-, and later go into detail (maybe an index after the intro would help).

Number your sections. The first section should explain the narrative - political - part, as a longer intro.

The next section should explain thoroughly where we are and how we got here. (remember: numbered and with a one-liner title).

The next section should explain the where we want to go - our go @espectalll - 2/4

l and what we can do about it. If it's too complicated, divide it in two, again explaining what we have, and ONLY THEN you share the simpler steps telling us (finally!) how to configure our Firefox the way we want it.

If it's still too complicated, use a numbering hierarchy, like 1.1, 1.2, and so on.

After you finish explaining what the user needs to do, you finish with a summary, as in a recipe. (which you can link to from the intro for the lady)

After you'r @espectalll - 3/4

done with the recipe, write a small conclusion and say good bye to the readers in a friendly and maybe even humorous fashion.

Ta-da! :blobwizard: @espectalll - 4/4

errata: for the lady -> for the reader (swypo, sorry :blobsmilesweat: )

@rick_777 For the structure part, I did intro-instructions-context-details-outro, which should be cleanly organized.

I wanted to put the instructions at the beginning because I thought it would be more useful if I first give them away and then explain the reasoning behind them - that's for sure how I get it best in both passive reading and studying, in my experience.

As for everything else, I thought it was clean enough but since the numbers seem to show that's not the case I'll recheck.


boosted and favorited, cuz I'm still having "issues" with my DNS "in general" that I need to narrow down.

in short: pi-hole -> cloudflared (service) -> quad9 doh as upstream provider.

problem: DNS leak test resolves to WoodyNet in the US and the VPN. Even if my VPN is running to the EU.

I'm confused.

@Xian Is that your region and ISP? If so it could be your Pi-Hole leaking it?


No, don't think so. I didn't have this problem until after the whole Mozilla DoH rollout. It's got me confused. I think I may have borked something while sleep deprived.

Further digging, looks like Woodynet is a backbone provider for Quad9, so at least that explains something.

Now to find the leaky bits.

@espectalll I would like to add DoH support to the Android DNS resolver, if I could carve out some time for it.

It's not a priority because Android already has DoT, but I suspect DoH with HTTP3 (QUIC) would offer better latency and resilience to packet drops.

@codewiz DoH is already based on HTTP/2, so it's very decent so far, but I can imagine HTTP/3 using UDP will at the very least be noticeably better with latency

@angristan Aaaaa, thanks!!! I still need to make some amendments though due to OCSP, server IP leaking and Firefox's TRR fallback :blobuwu:

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!