I tried opening websites with my web browser configured to use DoH, and had Wireshark listening. There’s a client hello for the websites visited and the site url is shown. Doesn’t that mean that network administrators, the router manufacturer, and the internet service provider can all see what websites the DoH user visits?
1 Like
I believe some ISPs just use Google as their DNS, in that case choosing a DNS provider yourself might be more private.
When DoH is enabled Firefox will use ECH if the website supports it. [1]
2 Likes
My basic understanding is that encrypted DNS is most effective when paired with ECH[1]. But even without ECH, there may still be meaningful practical benefit to encrypted DNS on it’s own because it at least addresses the low hanging fruit, and a common way that ISPs snoop on you.
A (possibly dumb) analogy, is while it is most effective to lock your doors and windows, if all you can do is lock your door, that is still a meaningful improvement that reduces the probability of a break in.
edit: @FranklyFlawless’s explanation below is well written, succinct and clearer than mine.
Also adding this link to Cloudflare’s encrypted SNI test page
“Encrypted Client Hello” ↩︎
3 Likes
DoH(3) encapsulates your DNS query using TLS encryption over port 443, so that means passive MITM eavesdroppers are no longer able to easily and readily harvest that information nor tamper with it. ECH is separate and splits the ClientHello into an encrypted inner and unencrypted outer layer before accessing the TLS 1.3 server, meaning that passive MITM eavesdroppers would be able to see a generic SNI from the unencrypted outer ClientHello instead of the domain name within the encrypted inner ClientHello.
3 Likes
Which browser did you use ?
1 Like
Mullvad DNS on Librewolf (Firefox) and NextDNS on Helium (Chromium).
1 Like
(Hot take warning)
Even ECH is not a silver bullet. It only helps with sites hosted on a shared IP which supports it (i.e. Cloudflare), but if you’re connecting with Cloudflare protected sites you are exchanging your ISP being able to identify the domain you are visiting for Cloudflare seeing the entirety of your connection. You are only exchanging one middleman for another.
Of course, practically speaking, you don’t control if a site uses Cloudflare, so for sites which do obviously it does remove a middleman as Cloudflare will be there anyway.
But, speaking more philosophically about it, the entire DoH/ECH paradigm requires entities like Cloudflare to function and I honestly don’t really buy that it serves any real benefit to the wider internet beyond acting as marketing material for Cloudflare.
1 Like