Mikaela
/
mikaela.github.io
mirror of https://github.com/mikaela/mikaela.github.io/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

browser-extensions: change ESNI to ESNI/ECH, adjust mode instructions, note ECH config 

Resolves: #295
This commit is contained in:
Aminda Suomalainen 2022-08-13 23:26:33 +03:00
parent f7f692e72c
commit 3dff3d1ed7
Signed by: Mikaela
SSH Key Fingerprint: SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pages/browser-extensions.markdown
View File

@ -193,13 +193,14 @@ Firefox seems to contain a lot of advertising or sponsoring nowadays, whether to
## DNS over HTTPS
* `network.trr.mode` depends, `2` to prefer DoH, but fallback to system resolver, `3` to enforce DoH without fallback) or `5` to explicitly disable.
* [DoH is required by Firefox ESNI support](https://bugzilla.mozilla.org/show_bug.cgi?id=1500289) which encrypts SNI which would still leak which
sites you visit. [Another bug about ESNI + Android DoT](https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3)
* Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 3 for eSNI?
* `network.trr.mode` depends, `3` to enforce DoH (required for ECH) or `5` to explicitly disable. `2` to prefer DoH, but fallback to system also exists.
* [DoH is required by Firefox ESNI/ECH support](https://bugzilla.mozilla.org/show_bug.cgi?id=1500289) which encrypts SNI/ClientHello which would still leak which
sites you visit. [Another bug about ESNI/ECH + Android DoT](https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3)
* Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 3 for ESNI/ECH?
* `network.trr.early-AAAA` `true` to hopefully prefer IPv6
* `network.trr.uri` for the actual resolver address, e.g.
`https://doh.mullvad.net/dns-query`
* and if they provide as SOCKS proxy as a killswitch, `network.proxy.socks_remote_dns` must be `false`
* `network.trr.disable-ECS` to `false` if preferring speed over privacy or using NextDNS private ECS.
* [Wikipedia: EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet)
@ -207,6 +208,8 @@ Some notes:
* There is also `network.trr.exclude-etc-hosts` for those using `/etc/hosts` for blocking.
* You can confirm TRR working by visiting `about:networking#dns` where
you should be seeing DNS cache of Firefox and a lot of `TRR: true`.
* ECH requires `network.dns.echconfig.enabled` and `network.dns.use_https_rr_as_altsvc` to be `true`,
but they seem to default to true at least in Firefox Nightly so maybe no action is needed.
* [While investingating how Android 9 Private DNS works, I also wrote a DNS provider comparsion here on 2019-07-11]({% post_url blog/2019-07-11-android-private-dns-in-practice %})
## SSDs