Skip to content

Instantly share code, notes, and snippets.

@avoidik

avoidik/README.md

Last active August 24, 2023 11:24
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save avoidik/58f7c6de77ee53a35804f5ad6fea238c to your computer and use it in GitHub Desktop.
Save avoidik/58f7c6de77ee53a35804f5ad6fea238c to your computer and use it in GitHub Desktop.
Download ZIP
Enable DoH and ESNI in Firefox
Raw
README.md

How to enable DoH and ESNI

Firefox Configuration

  1. Open about:config
  2. Set network.trr.bootstrapAddress to ip-address of your DNS server
  3. Set network.trr.custom_uri to https://here.goes.hostname/dns-query
  4. Set network.trr.mode to 2 (fallback if no TRR available) or to 3 (to use TRR only)
  5. Set network.trr.uri to https://here.goes.hostname/dns-query
  6. Set network.trr.disable-ECS to false
  7. Set network.trr.credentials to authentication bearer token (something like Basic dXNlcjpzdXBlcnNlY3JldA==)
  8. Set network.security.esni.enabled to true
  9. Visit https://www.cloudflare.com/ssl/encrypted-sni/ and check ESNI

Chrome Configuration

Create new shortcut to Chrome and add following command-line parameters to it

chrome --enable-features="DnsOverHttps<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:Fallback/true/Templates/https%3A%2F%2Furl.goes.here%2Fdns-query"

How to configure TRR to accept basic authentication? No idea, ¯\_(ツ)_/¯

Useful links

Configuration as follows: Nginx DoH (LE HTTPS) > DoH Server (127.0.0.1:8053) > Pi-Hole (127.0.0.1:53) > DNSCrypt (127.0.2.1:53) > Cloudflare

https://www.bentasker.co.uk/documentation/linux/407-building-and-running-your-own-dns-over-https-server

https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-Debian-and-Ubuntu

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux

https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0

https://github.com/commonshost/dohnut

Known subtleties

No DNS resolution after uninstalling Pi-Hole - pi-hole/pi-hole#2148

Make Pi-Hole listening to loopback interface only while keeping Web UI exposed outside

$ head -n2 /etc/pihole/setupVars.conf
PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=lo

$ grep 'interface' /etc/dnsmasq.d/01-pihole.conf
interface=lo

$ cat /etc/dnsmasq.d/02-local.conf
listen-address=127.0.0.1
interface=lo
bind-interfaces

Set nginx robots.txt to disable crawlers

    location = /robots.txt {
       add_header Content-Type text/plain;
       return 200 "User-agent: *\nDisallow: /\n";
    }

Handle [ERROR]: Unable to parse results from queryads.php: Unhandled error message () error message

Password protected areas

printf "abc:$(openssl passwd -apr1 def)\n" | sudo tee /etc/nginx/.htpasswd
echo -n "abc:def" | base64 -w0; echo

Permissions to gravity.db

usermod -a -G pihole www-data

Check

https://tls13.1d.pw/ (only two cats, I repeat two cats)

https://www.cloudflare.com/ssl/encrypted-sni/

https://www.dnsleaktest.com/

https://dnssec.vs.uni-due.de/

@avoidik
Copy link
Author

avoidik commented Aug 24, 2023

How to integrate dnsmasq into systemd dns resolver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment