Informative and unfortunate.
Cloudflare giveth, Cloudflare taketh away?
ECH is disabled globally, and cannot currently be enabled in the Cloudflare Dashboard.
@SkewedZeppelin is there a script or tool you use to test ECH support of remote websites?
Cloudflare giveth, Cloudflare taketh
Indeed. (but they are working on re-implementing it)
Ironically it felt like we were in a better position with respect to ECH a year or two ago (Cloudflare had enabled ECH by default, Firefox had an explicit about:config option to enable it independently from DoH)
Here
#CC0
while read line; do
if /usr/bin/dig @1.0.0.1 +timeout=1 +short HTTPS "$line" | grep -q "ech="; then
echo "YES: $line";
else
echo "NO: $line";
fi;
done < domains.txt;
Firefox before 127 actually does require TRR to use ECH.
125 added an option to use the host resolver for HTTPS records, but only 127 enables it by default.
Good news!
Let me make sure I understand correctly
With this change, will ECH be toggled/enabled by default, independently of DoH (in the browser or on the host system)? Or does this still require DoH but now supports DoH on the host instead of only in the browser?
@xe3
there are 3 relevant settings here:
network.dns.echconfig.enabled
controls whether ECH will be attemptednetwork.trr.mode
controls the state of the built-in resolvernetwork.dns.native_https_query
controls whether or not to lookup HTTPS records using the system resolver
ECH should work as long as 1 is enabled and either 2 or 3 is enabled.
In the case of using 3 over 2, you should still have your system use DoH or DoT as otherwise ECH isn’t very effective.