Enable ESNI for dnscrypt client

[MonogameCoder]

Hi all,

I would much like to see ESNI enabled in the next versions of dnscrypt, which would work with firefox. Right now, I am only aware of cloudfare implementation of esni with firefox, but for reasons I won't discuss here, I think that is far from ideal for those who started using dnscrypt back in the days in versons 1.xx.

This would allow more privacy for those privacy-centric people, because even if someone is sniffing your network, one wouldn't be able to know the hostname of the sites the user is visiting [ like in client-hello|server-hello requests ]. In other words, the perpetrator would only know about the ip addresses in which the user visiting, and such individual woudn't be able to learn anything about it [ I know you all know this already, I am just trying to follow the guilines for requesting a new feature].

I think the anonymized dns queries feature was a huge step forward, towards a more free internet. Therefore, I think enabling ESNI would bring great value to this project, and as we all know dnscrypt contributed significantly to a safer internet, and we can already witness big tech companies starting to adopt the technology.

I am not sure exactly [ this is not the field of my expertise ] if the dns servers would have to first implement it, in order to dnscrypt work with ESNI [highly likely in my opinion], but in my view it would be a great contribution to this project implementing ESNI first, as I think servers would follow the trend and implement ESNI altogether.

I hope this request is relevant to this project as I am confident this is a big deal.

Thank you for your time, and I look forward to hearing back from anyone.

Regards

PS: I think due to the complexity of the code of this project, by that I mean it doesn't seem too complex, I will be able to contribute in future versions of dnscrypt. If i find the time, I will certainly try to join the team.

[jedisct1]

See the documentation: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH

[MonogameCoder]

See the documentation: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH

Dear Jedisct1,

Thank you for your reply, but unfortunately I was unable to deploy it correctly. I did everything right, I also created a new certificate using openssl, however when I try to browse websites I get the infamous error " http: TLS handshake error from 127.0.0.1:40850: remote error: tls: bad certificate". Well the solution to this, is suggested in the article, however, I never get the prompt to "Click "Advanced" and "I accept the risks"". Firefox simply browse the websites without any prompt.

Any help is greatly appreciated. Am i missing anything or is my firefox blocking such prompts. I limited the number of cypher suites supported in firefox and allowing only the safe ones, which may be the cause of the issue.

I look forward to a reply!

[progandy]

Try to open 127.0.0.1:40850 as well as localhost:40850.

Another option to add the certificate would be in the firefox preferences

Open Options/Preferences -> Privacy & Security -> Certificates: View Certificates -> Tab "Server"

Click the button to add an exception and fill in the dialog.

Anyways, ESNI might not be working since Firefox disabled the old ESNI experiment and implemented the newer ECH draft (I am not completely sure if that is in 84 or only 85 and later). As far as I know, cloudflare hasn't updated their experimental server implementation yet. https://bugzilla.mozilla.org/show_bug.cgi?id=1667801

[MonogameCoder]

Hi progandy,

Thank you for your reply. I felt a bit discouraged when I read the wiki info on ESNI and etc, but I wanted to give it a try just to see how it works. Thank you for the reference as well, and it seems like something better might be coming on the way in the near future, at least I hope. SNI is a huge issue in my view, because unless you use anonymous proxy with socks5, SNI would be visible to anyone sniffing on his network.

Also with regard to adding an exception in ff, I don't like the idea of adding server certificates exceptions as I read it intruduces privacy issues, but just for testing purposes it would be fine I think.

Anyways, thank you for your input, if you catch any news in the future about ECH, feel free to drop a line in this closed thread or by email, I appreciate that. I will stay tuned on this particular subject anyways, but just in case I miss something.

Regards,

[jedisct1]

FWIW, ECH seems to work fine in Firefox Nightly.

[MonogameCoder]

Hi, I found the 2 culprits why it was not working.

1) this -> security.pki.mitm_detected was one of them 2) and if I open firefox inprivate tab directly, it wouldnt allow me to add the certificate permanently. So I have to start firefox normally, add the certificate permanently and only then open an inprivate tab. for some reason, this only lasts before the next ff restart.

ESNI works now 👍

[MonogameCoder]

FWIW, ECH seems to work fine in Firefox Nightly.

I would like to ask you one last thing, I read the ECH draft and aren't ECH and ESNI the same thing? is it not just a new draft that 's been underway ?

Thanks

[jedisct1]

ESNI was an early prototype. It didn't provide the confidentiality people thought it did. The protocol evolved and was renamed to ECHO, then to ECH by the way.

It is still not done yet, and may be renamed again :)

[MonogameCoder]

Ok ,Thank you for the info, I also read that some governments were blocking it. So that makes sense, and I am sure something better will come out soon in an appropriate time. Hopefully more servers will embrace/advocate it like cloudflare.

[jedisct1]

Governments and companies are also requiring root certificates to be installed, making ECH and DOH useless. Cat and mouse game.

[MonogameCoder]

Governments and companies are also requiring root certificates to be installed, making ECH and DOH useless. Cat and mouse game.

Hi Jedisct1, I just have a question about tls version for handshake. I see this : TLSv1.0 Used in Session. Why is that ? My self-signed cert says it is version 3 and I tweaked this here : tls_cipher_suite = [4865, 4867] and whenever I try cloudflare I get this message of TLSv1.0 used.

Any clues what could be wrong?

Thanks