Odd dns issue

[Horizonbli]

Hey there

There seems to exist a conflict between Google chrome and RethinkDNS dns. Whatever DoH service that I use in RethinkDNS, won't work. It doesn't matter if I disable chrome or secure DNS setting.

I did a small test, and I set Chrome's secure DNS to applied privacy DoH and RethinkDNS to OpenDNS and its applied privacy doh that prevails.

Oddly enough, RethinkDNS says I'm protected. OpenDNS test page shows I am not using their service.

Any ideas?

Thanks

Edit: it seems to me that only Chrome's built-in doh options work?

[ignoramous]

Hi: Yes, Chrome's built-in secure DNS (DoH) would override whatever DoH is set in RethinkDNS.

You can prevent Chrome from connecting to endpoints (IPs) it resolves on its own (via secure DNS / DoH) by enabling Block connections when DNS is bypassed (experimental) from the Universal firewall page in the RethinkDNS app.

[Horizonbli]

Setting that option blocked internet connectivity altogether. I disabled RethinkDNS dns and ran Nebulo (non VPN mode), linking it to RethinkDNS firewall. It resolves dns queries just fine. Chrome's built-in dns didn't override Nebulo's.

Why wouldn't the same happen with RethinkDNS dns?

[ignoramous]

Setting that option blocked internet connectivity altogether.

That's an exaggeration (: RethinkDNS rightfully blocked all connections to IPs that were resolved by Chrome's secure DNS. Works as expected. Other apps shouldn't see any connectivity problems (unless those are doing their own DNS too).

Why wouldn't the same happen with RethinkDNS dns?

Because if a user explicitly wants to use secure dns in Chrome, RethinkDNS rightly does not (in fact, cannot) interfere. Not sure what Nebulo does (I should ask @Ch4t4r if Nebulo does anything special) but you can select Prevent Bypass from [RethinkDNS blocklists[(https://rethinkdns.com/configure) to see if it then helps prevent Chrome from using secure DNS.

[Ch4t4r]

Nebulo intercepts traffic sent to the networks default DNS server and a bunch of known ones. If it cannot read the traffic it is thrown away - which would cause no connectivity for the user. Better than a DNS leak, I guess

[ignoramous]

Thanks @Ch4t4r

A list of built-in DNS providers for whom Chrome auto-upgrades connections opportunistically to DoH, is found here: net/dns/public/doh_provider_entry.cc:

adult-filter-dns.cleanbrowsing.org, family-filter-dns.cleanbrowsing.org, doh.cleanbrowsing.org, security-filter-dns.cleanbrowsing.org, chromium.dns.nextdns.io, chrome.cloudflare-dns.com, 1dot1dot1dot1.cloudflare-dns.com, one.one.one.one, dns.google, dns.google.com, 8888.google, dnsnl.alekberg.net, doh.xfinity.com, dot.xfinity.com, odvr.nic.cz, dns.sb, dot.cox.net, doh.cox.net, doh.dns.sb, public.dns.iij.jp, doh.opendns.com, dot.quickline.ch, doh-01.spectrum.com, doh-02.spectrum.com, dns.switch.ch, dns.quad9.net, dns9.quad9.net, dns10.quad9.net, dns11.quad9.net, doh.familyshield.opendns.com

For the DoH servers a user manually enters into Chrome, well either DoH blocklists like EchoGeckoIT/DoH Hosts need to be used (which of course isn't fool-proof), or simply give up blocking those.

[Horizonbli]

Setting that option blocked internet connectivity altogether.

That's an exaggeration (: RethinkDNS rightfully blocked all connections to IPs that were resolved by Chrome's secure DNS. Works as expected. Other apps shouldn't see any connectivity problems (unless those are doing their own DNS too).

Why wouldn't the same happen with RethinkDNS dns?

Because if a user explicitly wants to use secure dns in Chrome, RethinkDNS rightly does not (in fact, cannot) interfere. Not sure what Nebulo does (I should ask @Ch4t4r if Nebulo does anything special) but you can select Prevent Bypass from [RethinkDNS blocklists[(https://rethinkdns.com/configure) to see if it then helps prevent Chrome from using secure DNS.

I did what you suggested, and I set RethinkDNS dns to use RethinkDNS Plus. It appears to be working, and Chrome doesn't seem to override it. Preventing dns bypass does disconnect me. Not sure why, if it works fine for you. I'm going to test this with other RethinkDNS dns built-in options.

I'm wondering if RethinkDNS doesn't deal well with custom entries. Could that be the problem?

[ignoramous]

Glad it worked. Btw, a more comprehensive solution is tracked at #390

I am not sure when we'd begin working on it given users enable secure DNS / DoH only when they want Chrome / Firefox to use that alternative DNS in the first place.