AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Encrypted ClientHello

Open hl2guide opened this issue 4 years ago • 13 comments

Problem Description

Please consider adding support for Encrypted SNI in Adguard Home (if applicable).

I'm no network engineer so I don't know if it even applies, but it would be nice if it could be implemented.

CloudFlare's Reference: https://blog.cloudflare.com/encrypted-sni/ CloudFlare's Test Page: https://www.cloudflare.com/ssl/encrypted-sni/

hl2guide avatar May 16 '20 07:05 hl2guide

True! Hope more security! https://allinfa.com/dns-over-https-doh.html https://allinfa.com/encrypted-server-name-indication-esni.html https://www.cloudflare.com/ssl/encrypted-sni/

jkle112 avatar May 16 '20 10:05 jkle112

For your own queries do you mean? Surely eSNI is already supported. I get _esni queries answered in my query log all the time, and Cloudflare confirms my connections include encrypted SNI.

imgur

Added to that, my ISP blocks torrent sites (court order, UK) but with eSNI enabled in Firefox, and AGH set to use a capable upstream (i.e. Cloudflare), I can load the sites no problems even without a VPN (because the ISP can't see what I'm connecting to, as both DNS and SNI are encrypted). Add Cloudflare as your upstream and, in Firefox's about:config, set network.security.esni.enabled to true. You must third, and finally, have encrypted DNS over HTTPS set up in Firefox (either via Preferences or about:config)

RainmakerRaw avatar May 16 '20 22:05 RainmakerRaw

ESNI standard is far from being out of the draft state. FF and Cloudflare have implemented some old draft which is rather far from the current state of the spec.

Anyways, we can only implement this when ESNI is finalized and supported by Golang, and this is not the case yet.

ameshkov avatar May 18 '20 12:05 ameshkov

Is there any update on Encrypted SNI?

gabriel-vanca avatar Oct 07 '21 19:10 gabriel-vanca

The news are:

  1. It is now called ECH
  2. It is still in the draft stage
  3. It is still used by no one. CloudFlare even disabled it for now.

ameshkov avatar Oct 08 '21 08:10 ameshkov

It looks like Cloudflare have now enabled it and i think it's on by default for new customers: https://blog.cloudflare.com/announcing-encrypted-client-hello/

hbednar avatar Oct 01 '23 11:10 hbednar

Not that simple, they seem to have disabled it for most of the users now, was causing some troubles.

Anyways, in golang there's no way to use ECH unless you're using a Cloudflare's fork of Go.

Generally it's possible to use it now, but I'd prefer to wait until ECH makes it to Go's crypto/tls.

ameshkov avatar Oct 10 '23 13:10 ameshkov

Reopened just to show that we're planning to implement it eventually.

ameshkov avatar Oct 10 '23 13:10 ameshkov

Any news on this topic?

vdias avatar Oct 12 '23 09:10 vdias

I am using tls://1dot1dot1dot1.cloudflare-dns.com as the main upstream DNS server and https://dns.cloudflare.com/dns-query for the fallback DNS server. I do get Encrypted SLI and ECH.

V0IDL355 avatar Feb 02 '24 12:02 V0IDL355

Any news on this topic?

ECH is still not supported natively by crypto/tls. Switching all crypto to Cloudflare's fork is too much.

We probably could come up with a solution similar to what I did in gocurl and implement it for upstreams.

https://dns.cloudflare.com/dns-query

This domain does not indicate ECH support at the moment.

ameshkov avatar Feb 06 '24 14:02 ameshkov

I can stress this not enough, how important the progress is.

It's about federal-surveillance and such. Mostly I can disable all VPN-connections having that enabled in effect.

donald2612 avatar Jun 18 '24 19:06 donald2612