mikaela.github.io/n/dns.md

DNS notes

For DNS resolvers, refer to r/resolv.tsv

• Identifying DNS resolver
  • Identifying ECH support
• To ECS or not to ECS?
  • Identifying support for client-subnet
• Mobile applications
  • Android
  • Rethink
  • FFUpdater

Identifying DNS resolver

• DNS-OARC’s Check My DNS - popup under “Network”.
• dnsleaktest
• whatsmydnsserver
• ipleak.net
• dnsadblock
• browserleaks.net/dns

The above list is based on redirect2me/which-dns README alternatives section

Identifying ECH support

At it’s current state of implementation, Encrypted Client-Hello requires DNS-over-HTTPS in the browser level or it won’t be used. If downgrade from application level DoH to OS resolver is allowed, ECH will get disabled at least temporary. Thus I think this list belongs here close enough.

• Cloudflare Browser Check which still speaks of ESNI, while ECH replaced Encrypted Server Name Indication ages ago.
  • crypto.cloudflare.com/cdn-cgi/trace, look for sni=encrypted.
• tls-ech.dev
• BONUS: OCSP stapling test

To ECS or not to ECS?

Understanding the Privacy Implications of ECS brings up two bigger issues EDNS client-subnet:

• Authoritative nameserver is given part of the subnet, which can be personally identifiable and as the connection between recursor and authoritative is unencrypted, anyone between them can observe all the queries.
  • Think of VPNs where traffic within the VPN is encrypted, but it won’t magically encrypt plain traffic leaving it.
• Anyone between the recursive and authoritative nameservers can perform cache poisoning attack and give it a narrow target. With short TTL, it may be impossible to audit afterwards. Only DNSSEC can protect from this, but DNSSEC signing isn’t used that widely.

These issues bring additional questions:

• Do you care?
  • If you run open wireless network and offer everyone ECS nameserver such as Google DNS through DHCP while using manually configured encrypted DNS by yourself, is there any cause for concern? You can always say it was someone using your open network? Or if this is a multi-user system like VPS running titlefetcher bot or Matrix homeserver, who knows who triggered the original queries and where? SteamOS? Speed over all as it’s only used for gayming. Virtual machine lab? Who cares. Larger organization? That may be a big target?
  • How much does getting local content matter to you? More or less than increased resource use of contacting a server further away? Is private ECS an option? (r/resolv.tsv)
• What is the impact of domains you visit being surveilled?
  • This page mentions cases like FFUpdater where the surveillance would reveal that I interact with github.com and other sites it downloads apk files from, which hardly matters, but how about you?
• What is the impact of cache poisoning tailored to you?
  • Everything is encrypted and TLS certificates wouldn’t match so would you continue to the wrong site regardless of the prompt, or decide something is wrong and try again later. How about your users?

Identifying support for client-subnet

Or what is being sent to the authoritative servers.

dig +short TXT o-o.myaddr.l.google.com.
dig +short TXT whoami.ds.akahelp.net.
dig +short TXT whoami.ipv6.akahelp.net.
dig +short TXT whoami.ipv4.akahelp.net.

• Note: Cloudflare sends ECS only for whoami.ds.akahelp.net.

Mobile applications

With the exception of those apps that config I remember otherwise or share it with desktop versions etc.

Android

Use either cloudflare-dns.com (which doesn’t have ECS) or dns.google (which has ECS) as the (Settings → Network & Internet → Advanced →) Private DNS server as they have special handling and are thus DNS ove HTTPS3 instead of the usual DNS over TLS. This can be confirmed with https://1.1.1.1/help (when using cloudflare-dns.com).

Then setup your web browser (including Firefox (other than stable which disables about:config) and Chrome) to use DNS over HTTPS with your preferred server and while at it enabling HTTPS only mode.

Rethink

NOTE! This pretends to be a VPN and thus breaks things depending on seeing the IP directly such as wireless debugging LAN IP, Briar LAN connections, cause warnings in Ooni Probe and disable automatic testing, Syncthing Fork will not autostart due to detecting the network as metered, unless it’s given permission to run in metered networks.

1. Use either GitHub or F-Droid release as Google Play doesn’t have blocklists.
2. Enable it.
3. In Android Settings, Internet, Advanced, VPN, select Rethink, make it always-on and block connections not using it.
4. Disable private DNS in Android settings too, as it conflicts.
5. In Rethink itself open Configure.

• DNS: enable whatever DNS you prefer.
• DNS: Visit on-device blocklists.
• DNS: Consider enabling Use in-app downloader, DNS booster
• DNS: Disable Prevent DNS leaks to avoid breakage.
• Network: enable Use all available networks (experimental)
• Network: Loopback (experimental)
  • This also implies the previous option.
• Network: Choose IP version: Auto
• Network: Perform connectivity checks

1. Remember to also visit Android app details for Rethink, in battery menu select unrestricted and in network allow unlimited data even with data saver.

Hopefully there is no situation where Rethink stops working and thinks it’s still working. As can be deduced from this section, sometimes Rethink and I disagree with each other. I don’t guarantee I know what I am doing.

FFUpdater

• https://dns0.eu;2a0f:fc80::;2a0f:fc81::;193.110.81.0;185.253.5.0
• https://open.dns0.eu;2a0f:fc80::ffff;2a0f:fc81::ffff;193.110.81.254;185.253.5.254
• https://doh.opendns.com/dns-query;2620:119:35::35;2620:119:53::53;208.67.222.222;208.67.220.220
• https://dns11.quad9.net/dns-query;2620:fe::11;2620:fe::fe:11;9.9.9.11;149.112.112.11
• https://dns12.quad9.net/dns-query;2620:fe::12;2620:fe::fe:12;9.9.9.12;149.112.112.12