Is ESNI enabled by default when using DoH?

[35609902357]

No description provided.

[ghost]

No my friend, DoH does not encrypt SNI header.

Please stay safe!

[35609902357]

How can ESNI be enabled in dnscrypt-proxy? Is there a line to write in dnscrypt-proxy.toml?

[jedisct1]

https://bugzilla.mozilla.org/show_bug.cgi?id=1500289

[35609902357]

@jedisct1 A bug from Firefox does not address the point. So supposedly dnscrypt-proxy should encrypt SNI by default (even though ESNI checker by CloudFlare doesn't display it), but the image posted by @mkirisame shows SNI is actually unencrypted.

[jedisct1]

ESNI doesn't exist yet, it's still being designed.

What exists is an early experiment by Cloudflare and Mozilla, that turned out to be a good marketing tool. The web browser decides whether to enable this or not.

Right now, the rule hardcoded in Firefox is "enable it only if Firefox was configured to directly talk to Cloudflare DNS, and the user tries to connect to a Cloudflare customer".

The linked issue is not a bug. It's about an intentional limitation.

[uBlock-user]

#622 (comment)

[Mikaela]

It can actually be enabled in Firefox by setting network.security.esni.enabled;true in about:config, but you have to use a DNS-over-HTTPS provider (that doesn't have to be Cloudflare, while that is the only one Firefox ships with). https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3 is another bug worth mentioning.

[jedisct1]

You don't have to just use a DNS-over-HTTPS provider. You have to configure Firefox to do the resolution itself, bypassing all system settings.

[35609902357]

@Mikaela I'm aware of it, I was hoping to have it at router level to serve all clients. Thank you for pointing it out, and thank you @jedisct1 for your work and @mkirisame for the test. And thank you too @uBlock-user, I read that comment already, but I thought it was just an issue with Cloudflare's website.