portmaster icon indicating copy to clipboard operation
portmaster copied to clipboard

Published 20 hours ago β€’ verified publisher icon safing

Add Support for DoH

Open kiraitachi opened this issue 3 years ago β€’ 8 comments

What would you like to add or change?: In the Secure DNS settings only DoT is supported ( DNS over TLS) and not DoH (DNS over HTTPS).

It be nice to support both protocols.

Why do you and others need this?: Not all DNS provider's support DOT some only support DOH like OpenDNS. I like Opendns because they provide a free community license of OpenDNS Umbrella where you can specify what content should be blocked for your home network, by just adding your public IP to their configs and setting their OpenDNS IP on your router DHCP.

Also we could have the discussion that DOH is more privacy focused than DOT since requests are hidden on the HTTPS protocol and onfuscated with the rest of traffic, while DOT is doing this on a separate port 853 easily being able to block this from a network admin point of view. Is harder to block this on DOH without affecting all HTTPS requests.

Thanks in advance

kiraitachi avatar Feb 18 '22 17:02 kiraitachi

Hey @kiraitachi, thanks for the suggestion.

Except for censorship scenarion, we believe DoT to be superior. But I do see that there are providers that only provide a DoH endpoint.

I will discuss this with the team.

dhaavi avatar Feb 24 '22 15:02 dhaavi

I know it not appropriate to do +1 via comment, but I too ask for this feature.

Also we could have the discussion that DOH is more privacy focused than DOT since requests are hidden on the HTTPS protocol and onfuscated with the rest of traffic, while DOT is doing this on a separate port 853 easily being able to block this from a network admin point of view. Is harder to block this on DOH without affecting all HTTPS requests.

I agree with the above user. From a censorship-resistance point of view, DoH is on par with (or better than) DoT. As far as I know, DPI (deep pocket inspection) can also be used to block DoT protocol.

m77e4t avatar Mar 27 '22 13:03 m77e4t

I know it not appropriate to do +1 via comment, but I too ask for this feature.

Totally ok here. ;) We want to know the pain points of our users!

From a censorship-resistance point of view, DoH is on par with (or better than) DoT.

True, but a different goal than privacy, which we solve with the SPN.

From a privacy perspective, DoH carries a lot of unnecessary metadata (due to HTTP) that might have (and had!) identifying information. DoT does not have this problem.

As far as I know, DPI (deep pocket inspection) can also be used to block DoT protocol.

DPI can identify both as the patterns are the same. Again, we solve this with the SPN.

dhaavi avatar Mar 28 '22 14:03 dhaavi

Okey I got your point. Well tell me about this scenario. I'm at the hospital for the moment and they completely blocked 873 port and several vpn. And of course they are hijacking any 53 queries. So would the SPN be able to bypass that ? Did you hardcoded the ip it needs to join? (I didn't read your doc about SPN just yet)

changemenemo avatar Aug 01 '22 11:08 changemenemo

Okey so I just tested SPN form the hospital, your setup don't take into account my usecase. It can't connect to SPN. You need somehow to hardcoded the ip at least a bridge gateway or an obfuscated gateway so that we can bypass censorship. Something like signal does with the Google api gateway so that firewall won't block it.

Γ‰dit: sorry you did apparently did manage to find a way to get the IP addresses without retrieving from dns server(tell me if I m wrong), but I think that destination as port 17 is not necessarily good for privacy since it will most probably be blocked by many enterprise firewall.

changemenemo avatar Aug 01 '22 19:08 changemenemo

DoH is literally around the corner. Just block by a small bug before it can go into the beta channel.

dhaavi avatar Aug 03 '22 09:08 dhaavi

I know it not appropriate to do +1 via comment, but I too ask for this feature.

Totally ok here. ;) We want to know the pain points of our users!

From a censorship-resistance point of view, DoH is on par with (or better than) DoT.

True, but a different goal than privacy, which we solve with the SPN.

From a privacy perspective, DoH carries a lot of unnecessary metadata (due to HTTP) that might have (and had!) identifying information. DoT does not have this problem.

As far as I know, DPI (deep pocket inspection) can also be used to block DoT protocol.

DPI can identify both as the patterns are the same. Again, we solve this with the SPN.

isnt SPN paid feature? I was using portmaster<->adguard<->portmaster<->adguard a lot of time. the thing holding me on adguard is, doh support, and stealth mode features from adguard with important feature like protection from dpi, hide search queries, no trach header etc. portmaster is great and i was using it for a long time and so on but i wish it could have some features like i pointed out from adguard app I see doh support is comming. thats great and i will definitely test it.

rafalohaki avatar Aug 30 '22 22:08 rafalohaki

Hi I have something to add is that, Dot doesn't work well in my country but DoH, Dnscrypt and DoQ (new AdGuard protocol) work better than that. Unfortunately, at this moment I will stick with YogaDns or maybe till such a feature comes to Portmaster.

HamidRezaAshkiyan avatar Aug 31 '22 10:08 HamidRezaAshkiyan

Auto-closing this issue after waiting for input for a month. If anyone finds the time to provide the requested information, please re-open the issue and we will continue handling it.

github-actions[bot] avatar Aug 25 '23 05:08 github-actions[bot]

OOF

rafalohaki avatar Feb 08 '24 15:02 rafalohaki

https://wiki.safing.io/en/Portmaster/App/DNSConfiguration

Raphty avatar Feb 08 '24 15:02 Raphty