From 3dff3d1ed7e1799a6eb13bec2b125a02b46cc5a7 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Sat, 13 Aug 2022 23:26:33 +0300
Subject: [PATCH] browser-extensions: change ESNI to ESNI/ECH, adjust mode
 instructions, note ECH config

Resolves: #295
---
 pages/browser-extensions.markdown | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pages/browser-extensions.markdown b/pages/browser-extensions.markdown
index f90bb40..6dffa08 100644
--- a/pages/browser-extensions.markdown
+++ b/pages/browser-extensions.markdown
@@ -193,13 +193,14 @@ Firefox seems to contain a lot of advertising or sponsoring nowadays, whether to
 
 ## DNS over HTTPS
 
-* `network.trr.mode` depends, `2` to prefer DoH, but fallback to system resolver, `3` to enforce DoH without fallback) or `5` to explicitly disable.
-    * [DoH is required by Firefox ESNI support](https://bugzilla.mozilla.org/show_bug.cgi?id=1500289) which encrypts SNI which would still leak which
-      sites you visit. [Another bug about ESNI + Android DoT](https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3)
-    * Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 3 for eSNI?
+* `network.trr.mode` depends, `3` to enforce DoH (required for ECH) or `5` to explicitly disable. `2` to prefer DoH, but fallback to system also exists.
+    * [DoH is required by Firefox ESNI/ECH support](https://bugzilla.mozilla.org/show_bug.cgi?id=1500289) which encrypts SNI/ClientHello which would still leak which
+      sites you visit. [Another bug about ESNI/ECH + Android DoT](https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3)
+    * Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 3 for ESNI/ECH?
 * `network.trr.early-AAAA` `true` to hopefully prefer IPv6
 * `network.trr.uri` for the actual resolver address, e.g.
   `https://doh.mullvad.net/dns-query`
+  * and if they provide as SOCKS proxy as a killswitch, `network.proxy.socks_remote_dns` must be `false`
 * `network.trr.disable-ECS` to `false` if preferring speed over privacy or using NextDNS private ECS.
   * [Wikipedia: EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet)
 
@@ -207,6 +208,8 @@ Some notes:
 * There is also `network.trr.exclude-etc-hosts` for those using `/etc/hosts` for blocking.
 * You can confirm TRR working by visiting `about:networking#dns` where
 you should be seeing DNS cache of Firefox and a lot of `TRR: true`.
+* ECH requires `network.dns.echconfig.enabled` and `network.dns.use_https_rr_as_altsvc` to be `true`,
+  but they seem to default to true at least in Firefox Nightly so maybe no action is needed.
 * [While investingating how Android 9 Private DNS works, I also wrote a DNS provider comparsion here on 2019-07-11]({% post_url blog/2019-07-11-android-private-dns-in-practice %})
 
 ## SSDs