New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is ESNI enabled by default when using DoH? #941
Comments
How can ESNI be enabled in dnscrypt-proxy? Is there a line to write in dnscrypt-proxy.toml? |
@jedisct1 A bug from Firefox does not address the point. So supposedly dnscrypt-proxy should encrypt SNI by default (even though ESNI checker by CloudFlare doesn't display it), but the image posted by @mkirisame shows SNI is actually unencrypted. |
ESNI doesn't exist yet, it's still being designed. What exists is an early experiment by Cloudflare and Mozilla, that turned out to be a good marketing tool. The web browser decides whether to enable this or not. Right now, the rule hardcoded in Firefox is "enable it only if Firefox was configured to directly talk to Cloudflare DNS, and the user tries to connect to a Cloudflare customer". The linked issue is not a bug. It's about an intentional limitation. |
It can actually be enabled in Firefox by setting |
You don't have to just use a DNS-over-HTTPS provider. You have to configure Firefox to do the resolution itself, bypassing all system settings. |
@Mikaela I'm aware of it, I was hoping to have it at router level to serve all clients. Thank you for pointing it out, and thank you @jedisct1 for your work and @mkirisame for the test. And thank you too @uBlock-user, I read that comment already, but I thought it was just an issue with Cloudflare's website. |
No description provided.
The text was updated successfully, but these errors were encountered: