DNS Privacy Revisited

DNS Privacy Revisited

DNS desktop settings / DNS Resolvers

Testing the DNS Performance

DNS Benchmark Tool: Want a Faster Internet?

Local DNS Proxy Server

Probably the best right now is to use CoreDNS with ad-blocking plugin. CoreDNS is a DNS server-forwarder that chains plugins and can be installed with scoop install coredns

MaraDNS is very actively developed small open-source DNS server.

jedisct1/dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. The best one and most secure one! GUI for it: Simple DNSCrypt that also installs dnscrypt-proxy Cloaking · jedisct1/dnscrypt-proxy Wiki

DNSAgent was “hosts replacement” but is abandoned and now recommend CoreDNS. z3APA3A/3proxy: 3proxy - tiny free proxy server How to resolve all .dev domains to localhost on Windows - Server Fault

Technitium DNS Server | An Open Source Tool For Privacy & Security

DNS Server (and Related) Software for Unix


DNS-over-HTTPS (DoH) vs DNS-over-TLS (DoT) vs DNSCrypt

This is an important distinction because it affects what port is used. DNS over TLS has its own port, Port 853. DNS over HTTPS uses Port 443, which is the standard port for HTTPS traffic.

Therefore I will use DNS over HTTPS (DoH).

DNS over TLS: the request itself, its content or response, is encrypted. So you wouldn’t know what was being requested, but they’d know you were using DNS over TLS.

On the other hand, DNS-over-HTTPS is an ugly hack, to try to camouflage DNS queries as web queries, and get them past redirecting proxies (such as many telcos use) and protocol filters and so forth.

Chrome: DNS over HTTPS Coming to Chrome - Chrome Story Firefox: How to enable DNS-over-HTTPS (DoH) in Firefox | ZDNet Windows: see dnscrypt-proxy

Fix Windows 10

These registry key had no effect on my windows10, what worked was: Press WIN+R and write gpedit.msc Expand Administrative templates Expand Network Click DNS-client Double-click “Turn off smart multi-homed name resolution” Check the box called “Enabled” Click “Apply all” and then “OK”

For Windows 10, you can use “Local Policies” to deactivate the feature. Follow the steps below to do this:

Press WIN+R and write gpedit.msc Expand Administrative templates Expand Network Click DNS-client Double-click “Turn off smart multi-homed name resolution” Check the box called “Enabled” Click “Apply all” and then “OK”

And tried networking - Windows 10 DNS issues - Super User

ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
netsh winsock reset catalog
netsh int ipv4 reset reset.log
netsh int ipv6 reset reset.log

Firefox settings for DoH: dns9.quad9.net:443/dns-query

DNS over HTTPS (DoH) | DNS over TLS (DoT)

TL;DR: Skip router changes and use for everything; 1. No point in enabling it on router as some parts (ESNI) must be done on browser. 2. Chrome has partial DoH support but NO support for ESNI; Firefox has everything

How to check:

chrome.exe –enable-features=“dns-over-https<DoHTrial” –force-fieldtrials=“DoHTrial/Group1” –force-fieldtrial-params=“DoHTrial.Group1:server/https%3A%2F%2Fcloudflare-dns%2Ecom%2Fdns-query/method/POST “C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe” –profile-directory=“Profile 1” –enable-features=“dns-over-https<DoHTrial” –force-fieldtrials=“DoHTrial/Group1” –force-fieldtrial-params=“DoHTrial.Group1:server/https://cloudflare-dns.com/dns-query/method/POST”

https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

We must Encrypt SNI (aka ESNI) also

To forbid ISP to spy on my activity, I need to encrypt SNI headers also. That is browser thing and can’t be done on router level.

  • Firefox: This is the only solution for now. Two steps are needed:

    1. Options » Enable DNS over HTTPS
    2. about:config » network.security.esni.enabled
  • Chrome: No version of Chrome still doesn’t support ESNI (feb 2020): How about the betas? Nighlies? Canaries? Roadmap?!

How to set everything in Firefox: DNS-over-HTTPS (DoH) and Encrypted SNI in Firefox

ESNI is now called ECH

To enable ECH in Firefox, navigate to about:config and set network.dns.echconfig.enabled to true. Note that network.dns.use_https_rr_as_altsvc is already enabled by default.

Please be aware that a Firefox restart is necessary for the changes to take effect.

In Chrome, the flag is chrome://flags/#encrypted-client-hello

date 01. Jan 0001 | modified 10. Jun 2024
filename: Windows » DNS Privacy