From 45cf5ecf61de760fdd33b64b5db8a279e19f1ea3 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Thu, 25 Apr 2024 11:00:40 +0300 Subject: [PATCH] opt/chromium/policies/managed: update documentation about working preferred over ECH enforced --- etc/opt/chromium/policies/managed/README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/etc/opt/chromium/policies/managed/README.md b/etc/opt/chromium/policies/managed/README.md index 9e5693c4..fb47e68d 100644 --- a/etc/opt/chromium/policies/managed/README.md +++ b/etc/opt/chromium/policies/managed/README.md @@ -259,9 +259,11 @@ Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server. If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default. -Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`. - -**_This also causes there to not be ECH._** +My other `doh-*.json` set this as well, because `secure` doesn't allow +downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting +`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and +my system resolvers are encrypted. I hope they will implement ECH with system +resolver soon to fix this. ## `doh-dns0.json` @@ -297,7 +299,10 @@ their alternative port. Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks. -However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver. +However ECH requires `"DnsOverHttpsMode": "secure"` which will break things +(and thus my files don't enable it), +or it will occassionally get disabled (I hope they implement it with system +resolver soon). ## `enable-labs.json`