[Klathmon]

There was a good chunk of time where my ISP (Verizon FIOS at the time) was having some kind of DNS hijacking attack happening where many CDN IPs were being replaced with an IP of a server that was adding some ad-injecting javascript into many pages (and god knows what else, I still have the payload laying around somewhere as I saved it for future curiosity).

At the time my only real recourse was to pump my whole house through a VPN, as even Google's DNS (8.8.8.8) was being hijacked, but ONLY when it was coming from my home IP. (Full disclosure, i'm not very well versed in the networking stack. I know enough to get myself in trouble, but not much more. This was what I understood to be happening, but I could be way off base. However it was happening on multiple devices, multiple OSs, multiple verizon IPs, multiple DNS servers, both with and without a router, and would stop instantly if any of those machines were pointed at a wireless hotspot, or a VPN was turned on. At one point I even sent my router's WAN connection through my phone's hotspot and the problem went away)

After talking with verizon many times and each time having to spend an hour or so trying to get through to someone that knew even remotely what I was talking about, all they were able to do was reset my IP, which fixed nothing.

Now that DNS-over-HTTPS is becoming more common, i'm going to use it everywhere I can. Yes, DNSSEC might be a "better" solution, but I can use DoH right now to protect myself on all sites and (hopefully soon) all devices.

Just the other day I discovered Intra [0] a (still unreleased) app by Google for android which has your whole android phone use DNS-over-HTTPS.

I've been running it the last few days and i'm quite pleased with it. Does anyone know of a way to force all DNS queries in windows to use DoH?

[0] https://play.google.com/store/apps/details?id=app.intra&hl=e...

[jchw]

I don't think DNS-over-HTTPS precludes the use of DNSSEC - I think the intent is that eventually, you will in fact use both in tandem. DNSSEC alone would only give you the ability to check the integrity of a record, but DNS-over-HTTPS makes the transaction confidential and prevents third parties from censoring the request.

[Klathmon]

I guess I was just heading off the flurry of comments along the lines of "Why use DoH when we have DNSSEC?" that always seem to come up when discussing DoH.

[pornel]

DNSSEC has no encryption. It's not for privacy at all.

[bluejekyll]

Right, DNSSEC is about validating the authenticity of the DNS Record in a DNS Message, whereas DNS-over-TLS/HTTPS is about establishing authenticity and privacy with the upstream resolver.

In theory if the upstream resolver is using DNSSEC to validate all the Records, then the client over the TLS session can be fairly confident in the Records it receives.

[mcone]

> Does anyone know of a way to force all DNS queries in windows to use DoH?

I think you could use pi-hole to do this. https://docs.pi-hole.net/guides/dns-over-https/

[jedisct1]

Use dnscrypt-proxy https://github.com/jedisct1/dnscrypt-proxy

[jchw]

You could also run your own DNS server as well, like Core DNS, and configure it to resolve through DNS-over-HTTPS. I'm sure this is about the same thing, but it's worth noting that you could possibly use your existing router or NAS to run the software.

[Klathmon]

Thanks a ton, this looks fantastic! Do you know if it's possible to setup Pihole to use this (and possibly other features) but not do any adblocking?

[moderation]

I'm using cloudflared [0] for this. Allows me to have system level DoH and everything uses it (unless explicitly configured not to). Working on Linux machines (amd64 and aarch64) and MacOS.

The documentation is not great / accurate but with a bit of fiddling I have it running as a systemd service (launchctl on MacOS). I'm using the /metrics endpoint to get details in Prometheus on the stats.

0. https://github.com/cloudflare/cloudflared

[PappaPatat]

Sure, just deselect the blocklists in the GUI of your pi-hole.

[Skunkleton]

Personally, I highjack all DNS requests made on my network at my router, then use a VPN tunnel to resolve them on a server that I control that runs unbound. My guess is that FIOS was doing the same to you, just without your interests in mind.

A similar setup to mine could be deployed at your network edge, and it could then force all of your port 53 DNS requests to go over a more secure protocol. Of course you would have to figure out how to set this up, and it wouldn't protect your devices anywhere except your home network.

[Klathmon]

>My guess is that FIOS was doing the same to you, just without your interests in mind.

It wasn't FIOS doing it, the IP was in Israel and was known as a malware serving IP.

[tracker1]

Could be your router was hacked too...

[Klathmon]

I had tried 2 different routers and got the same result, including bypassing the router at one point, and I even ran my router's WAN through a wireless hotspot on my phone at one point and saw the problem stop.

[moderation]

Great find with Intra. Installed and working well on Pixel XL 2.