From c90b551ac4bc3cba387dc510bebbff23b50623b2 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Sun, 21 Apr 2024 14:00:39 +0300
Subject: [PATCH] =?UTF-8?q?chromium:=20merge=20doh-forced=20to=20the=20doh?=
 =?UTF-8?q?=20files=20due=20to=20it=20being=20required=20anyway,=20update?=
 =?UTF-8?q?=20documentation,=20rename=20doh-allowed=20=E2=86=92=20doh-unlo?=
 =?UTF-8?q?cked-unset?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 etc/opt/chromium/policies/managed/README.md   | 38 ++++++++-----------
 .../managed/doh-cloudflare-secure.json        |  1 +
 .../policies/managed/doh-dns0-kids.json       |  1 +
 .../policies/managed/doh-dns0-open.json       |  1 +
 .../policies/managed/doh-dns0-zero.json       |  1 +
 .../chromium/policies/managed/doh-dns0.json   |  1 +
 .../chromium/policies/managed/doh-forced.json |  3 --
 .../policies/managed/doh-mullvad-base.json    |  1 +
 .../policies/managed/doh-quad9-ecs.json       |  1 +
 .../managed/doh-quad9-insecure-ecs.json       |  1 +
 .../policies/managed/doh-quad9-insecure.json  |  1 +
 .../chromium/policies/managed/doh-quad9.json  |  1 +
 ...h-allowed.json => doh-unlocked-unset.json} |  0
 13 files changed, 25 insertions(+), 26 deletions(-)
 delete mode 100644 etc/opt/chromium/policies/managed/doh-forced.json
 rename etc/opt/chromium/policies/managed/{doh-allowed.json => doh-unlocked-unset.json} (100%)

diff --git a/etc/opt/chromium/policies/managed/README.md b/etc/opt/chromium/policies/managed/README.md
index 950f2df5..9e5693c4 100644
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@@ -37,9 +37,8 @@
 - [`disable-floc.json`](#disable-flocjson)
 - [`disable-incognito.json`](#disable-incognitojson)
 - [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
-- [`doh-allowed.json`](#doh-allowedjson)
+- [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
 - [`doh-dns0.json`](#doh-dns0json)
-- [`doh-forced.json`](#doh-forcedjson)
 - [`doh-mullvad-base.json`](#doh-mullvad-basejson)
 - [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
 - [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
@@ -254,58 +253,51 @@ Disables incognito mode. I don't recommend this.
 
 ## `doh-cloudflare-secure.json`
 
-Sets Cloudflare with malware protection as the DNS-over-HTTPS server.
+Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.
 
-## `doh-allowed.json`
+## `doh-unlocked-unset.json`
 
-If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
-(think of DoT opportunistic mode, kind of?). Enabling managed policies disable it by default.
+If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
 
-Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.
+Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
 
-**_No ECH._**
+**_This also causes there to not be ECH._**
 
 ## `doh-dns0.json`
 
-Simply enables DNS-over-HTTPS with DNS0.eu.
-
-## `doh-forced.json`
-
-Enforces use of DNS-over-HTTPS disabling the downgrade.
-
-Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
-
-**_Required for ECH._**
+Simply forces DNS-over-HTTPS with DNS0.eu.
 
 ## `doh-mullvad-base.json`
 
-Enables DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
+Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
 
 - https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
 
 ## `doh-quad9-ecs.json`
 
-Enables DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
+Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
 their alternative port.
 
 ## `doh-quad9-insecure-ecs.json`
 
-Enables DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
+Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
 their alternative port. **No DNSSEC either.**
 
 ## `doh-quad9-insecure.json`
 
-Enables DNS over HTTPS with Quad9 unfiltered server and also contains
+Forces DNS over HTTPS with Quad9 unfiltered server and also contains
 their alternative port. **No DNSSEC either.**
 
 ## `doh-quad9.json`
 
-Enables DNS over HTTPS with Quad9 threat-blocking server and also contains
+Forces DNS over HTTPS with Quad9 threat-blocking server and also contains
 their alternative port.
 
 ## `enable-ech-ocsp.json`
 
-Enables encrypted client hello and OCSP (or CRL?) checks.
+Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
+
+However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
 
 ## `enable-labs.json`
 
diff --git a/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json b/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
index 989e19d7..d5f3170e 100644
--- a/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
+++ b/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-dns0-kids.json b/etc/opt/chromium/policies/managed/doh-dns0-kids.json
index d47f6663..53dfaaca 100644
--- a/etc/opt/chromium/policies/managed/doh-dns0-kids.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-kids.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://kids.dns0.eu/"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-dns0-open.json b/etc/opt/chromium/policies/managed/doh-dns0-open.json
index e149f127..b1651722 100644
--- a/etc/opt/chromium/policies/managed/doh-dns0-open.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-open.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://open.dns0.eu/"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-dns0-zero.json b/etc/opt/chromium/policies/managed/doh-dns0-zero.json
index 9bf01de6..3f683c74 100644
--- a/etc/opt/chromium/policies/managed/doh-dns0-zero.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-zero.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://zero.dns0.eu/"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-dns0.json b/etc/opt/chromium/policies/managed/doh-dns0.json
index 547ce79a..ba086a5f 100644
--- a/etc/opt/chromium/policies/managed/doh-dns0.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://dns0.eu/"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-forced.json b/etc/opt/chromium/policies/managed/doh-forced.json
deleted file mode 100644
index 578327c1..00000000
--- a/etc/opt/chromium/policies/managed/doh-forced.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "DnsOverHttpsMode": "secure"
-}
diff --git a/etc/opt/chromium/policies/managed/doh-mullvad-base.json b/etc/opt/chromium/policies/managed/doh-mullvad-base.json
index f0b14c4c..4692bdf6 100644
--- a/etc/opt/chromium/policies/managed/doh-mullvad-base.json
+++ b/etc/opt/chromium/policies/managed/doh-mullvad-base.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9-ecs.json b/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
index 988d6d41..1037762e 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query https://dns11.quad9.net:5053/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json b/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
index 39ee7f11..4a06fb7b 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://dns12.quad9.net/dns-query https://dns12.quad9.net:5053/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9-insecure.json b/etc/opt/chromium/policies/managed/doh-quad9-insecure.json
index b7610a3c..9804f7f0 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9-insecure.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-insecure.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://dns10.quad9.net/dns-query https://dns10.quad9.net:5053/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9.json b/etc/opt/chromium/policies/managed/doh-quad9.json
index 2f557e05..c8c15980 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9.json
@@ -1,3 +1,4 @@
 {
+  "DnsOverHttpsMode": "secure",
   "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-allowed.json b/etc/opt/chromium/policies/managed/doh-unlocked-unset.json
similarity index 100%
rename from etc/opt/chromium/policies/managed/doh-allowed.json
rename to etc/opt/chromium/policies/managed/doh-unlocked-unset.json