Ability to change DoH

[molaeiali]

As of right now, the DoH providers ProtonMail is using are hardcoded in the code, and are:

dns11.quad9.net
dns.google

proton-bridge/pkg/pmapi/proxy.go

Line 42 in 25a8c19

var dohProviders = []string{ //nolint[gochecknoglobals]

Problem is, In some authoritarian countries like Iran, the government is trying to block DoH for obvious reasons.

It would be great if it was possible to change the DoH provider to what the user wants to use, for example maybe someone wants to use cloudflare or nextdns or pi-dns or their-own dns, etc, OR If it was an option which can disable the hardcoded option and made the app respect system settings, I myself am using Systemd-Resolved to achieve the same goal.

[andrzejsza]

Thanks for the suggestion @molaeiali.
This is really not something that we, the Bridge team, can change anyway, as those two are the only providers used for DoH across all Proton apps.
Do you have any personal experience where any of those were permanently blocked or is it just just a matter of preference?

[molaeiali]

@andrzejsza Yes I actually getting these errors in Iran:

time="Mar 18 17:16:29.014" level=error msg="Failed to query DNS records" error="failed to make DoH request: Get https://dns11.quad9.net/dns-query?dns=HASH: net/http: TLS handshake timeout" provider="https://dns11.quad9.net/dns-query"
time="Mar 18 17:16:37.892" level=error msg="Timed out querying DNS records" provider="https://dns.google/dns-query"
time="Mar 18 17:16:37.893" level=error msg="Cannot get response" error="Get https://api.protonmail.ch/metrics?Action=first_start&Category=setup&Label=1.6.6: failed to find a usable proxy: timed out while refreshing proxy cache" pkg=pmapi userID=anonymous-1
time="Mar 18 17:16:37.893" level=error msg="Failed to send metric" error="cannot reach the server"
time="Mar 18 17:16:54.101" level=error msg="ProtonStatus is reachable but API is not" pkg=pmapi-manager

(I replaced a HASH after quad9.net query I didn't know if it was supposed to be secret or not, if it's needed I can post it again)

As you can see, It cannot use quad9 and google

As I said, I myself am using DNSoverTLS using systemd, and among [google, cloudflare-dns, quad9, nextdns, pi-dns] only [nexdns, and pi-dns] are working, although cloudflare's DNSoverHTTPS on firefox works fine!

If I want to sum it all, DoH and DoT is a mess here :)

What I am forced to do, to use ProtonMail Bridge, is proxying it through Tor

[molaeiali]

Now that you said it's being used in all Proton apps, these issues may be related, I don't know.

DoH across all Proton apps

https://github.com/ProtonVPN/linux-cli/pull/237
https://github.com/ProtonVPN/linux-cli/issues/235
https://github.com/ProtonVPN/linux-cli/issues/126

[andrzejsza]

would you mind getting in touch with support at bridge@protonmail.ch? we'd like to see some of your logs and have more detailed questions.

[molaeiali]

Of course, Sending an email right now, sorry for being late.

BTW, I am maintaining the Arch Linux AUR packages for a while and got in touch with this email once, and then never heard back, so I decided not to contact that way, but I'll send another email now, hoping that I get a reply!

[andrzejsza]

closing as things has been working ok for a while.