[gormandizer]

Encrypted DNS is great. My only problem (as a linux user) is that I want all DNS lookups on my machine to be performed by querying the servers listed in "/etc/resolve.conf". DoH as implemented by Firefox and Chrome breaks that.

[nybble41]

DoH as implemented in Chrome still queries the servers configured in /etc/resolv.conf. It just uses the DoH protocol rather than plain DNS if it recognizes the server as supporting DoH (according to its built-in whitelist). Firefox is the one forcing all DNS resolution through Cloudflare's DoH servers by default.

Personally I'm mostly OK with the Chrome approach for public domains but I still worry about applications bypassing the host resolution plugins configured in /etc/nsswitch.conf. In my case that means: files (/etc/hosts), mymachines (automatic local VM name resolution), mdns (*.local), and myhostname. If an app only looks at /etc/resolv.conf and doesn't use the system resolver then it won't be able to see any of these local names. In the end, domain resolution is a system function and not something applications should be implementing on their own.

[wahern]

> In the end, domain resolution is a system function

Then just put 127.0.0.1 in /etc/resolv.conf. nsswitch, particularly for hostname resolution, is fundamentally broken as it doesn't work well with asynchronous software architecture; nor does it work well in languages that don't depend on libc.

Systemd already supports being a local resolver, but see OpenBSD's unwind (https://man.openbsd.org/unwind) for an attempt to seamlessly handle DNSSEC, DoT (and eventually DoH), local Wi-Fi portals, and other issues.

[sliken]

Unbound supports DoT as well.

[msla]

> My only problem (as a linux user) is that I want all DNS lookups on my machine to be performed by querying the servers listed in "/etc/resolve.conf".

I fear that they're going to end up seeing the inner-platform effect as a way to increase security: Browser makers decide they can't trust Standard OS Component Z, so they implement it themselves inside the browser, and lock it down so their imagined Non-Technical User can't be tricked into changing it to their own detriment. Now you have behavior inside your browser you can't configure because configurability in the wrong hands is a security hole... you're welcome.

https://en.wikipedia.org/wiki/Inner-platform_effect

[Spivak]

I don’t necessarily see a problem with this. If OS vendors want to be more than just another layer for running a browser then they need to catch up fast to the work that browsers are doing.

It is insane that connecting to a network is entering into a trust relationship with the the local network operator.

Its silly that most apps run with the full privilege of the user that ran it.

These were fine decisions when they were made years and years ago but browsers have second-mover advantage and aren’t burdened nearly as much by backwards compatibility.

[zrm]

There is a solution for that -- install a local resolver that makes queries using DoT/DoH/DNSCurve/DNS-over-WireGuard/whatever but answers them using ordinary UDP DNS, then make that your DNS server in /etc/resolv.conf.

[Skunkleton]

The default configuration for most linux distros is to set 127.0.0.1 as the resolver in /etc/resolv.conf, and then something like systemd-resolved takes care of doing the "right thing".

[kd913]

Why exactly can't you setup something like dnscrypt-proxy and just turn of DoH within the browser? That is exactly what you are looking for no?

I am currently using both, and as someone at work, I am glad for DoH being built in on Firefox.

[eikenberry]

Turning it off in the browser is a PITA, even for just a home user. Family of 4 and if I wanted to turn it off I'd need to do it on 9 computers, 3 tablets, 4 phones and 2 set top boxes. Not saying we're exactly average... but the shit adds up fast. [edit: +1 computer, forgot one]

[chupasaurus]

AFAIK as of now DoH isn't turned on by default in any browser.

[LogicX]

You should look into DoT instead

[tptacek]

How exactly does DoT make any of this any better? Conceptually, your local system resolver can use DoH just as easily as DoT. The primary difference between the two protocols, from a pragmatic perspective, is that DoT can be blocked by ISPs and network providers, and DoH is harder to block.

[gormandizer]

I've been doing DNS over TLS with pfSense for over a year now.

The problem as I understand it is that Firefox and Chrome will soon default to DoH. Now I have to remember to go in and change default app settings. Ok not a huge deal with just two apps but yet something else I shouldn't have to do.

[growse]

Just set your network resolver to return NXDOMAIN for the canary domain use-application-dns.net. (https://support.mozilla.org/en-US/kb/canary-domain-use-appli...)

That will signal to firefox (at least) to disable DoH and use the system resolver.