incase anyone wants to try a DoH setup: -------------------- I managed to get DoH working using Unbound, Apache and doh-proxy and documented the setup here: https://isoc-inforum.afrinic.net/wiki/tiki-index.php?page=doh
From my tests, the existing internal DNS caching infrastructure (in use in a LAN for example) can be maintained and using doh-proxy, DNS over HTTPS can be provided to clients. DoH seems to work just fine with Firefox and Firefox automatically resorted to my OS configured DNS server when I turned off the doh-proxy.
Firefox uses Cloudflare’s DNS server as default when you enable DoH. This means that with Firefox, users can bypass whatever DNS server is provided to them over DHCP in a network and use what is configured on the browser. If browsers in future will have DoH enabled by default, this could cause some issues for example, a URL that is supposed to resolve to a local LAN device will not be reachable (split horizon) if using an external DoH server. Users subscribed to DNS security services may have extra settings to add to their browsers. Troubleshooting DNS issues will be more complex - is the problem with the OS configured DNS or the one configured on the browser? How will browsers know which DoH server to use in a network before resorting to a default cloud provided DoH server - I could not find a way for this info to be supplied. Also, more testing is needed to know how well DoH Proxy stands up to multiple simultaneous requests (like at an ISP for example). Their maybe other tools like doh-proxy out there as well. Its a service that will need to be deployed in networks he near future so it makes sense to have a test implementation of this and DoT and observe whats coming out of the IETF Regards Kevin On Mon, Mar 18, 2019 at 10:50 AM Kevin G. Chege <kevin.chege@gmail.com> wrote:
Hi all,
Has anyone here tested DNS over HTTPS (aka DoH) and can share their experience? Browsers like Firefox have this feature and so will Google Chrome meaning a user can circumvent whatever DNS server is set on the OS for in order to browse and the DNS is traffic will be encrypted over HTTPS.
Here is the RFC describing how DoH works: https://datatracker.ietf.org/doc/rfc8484/
And here is a good summary of the possible issues and risks :
https://datatracker.ietf.org/doc/draft-livingood-doh-implementation-risks-is...
I am yet to try it but curious to hear of others' thoughts/experience.
Regards
Kevin