47

Firefox and Chrome at least have both implemented this.

Apple supports it at system level since Big Sur or Monterey I believe, but with limited efficacy, since use of network extensions (Lulu, Little Snitch etc.) silently bypasses a provisioning profile DNS over HTTPS setup. It works fine on mobile though.

The suggestion is for Orion to support selection of a DNS-over-HTTPS server, and allow entry of a custom URL. This is good for privacy and security, as it helps users to avoid relying on their ISP DNS. You can also do host-level ad/tracker/malicious content filtering.

Firefox implementation:

A couple of "defaults" are available (if you enable the feature, which is currently default-off, I believe, Cloudflare is the selected default).

And you can enter your own server URL if you like:

  • Vlad replied to this.

    gp What is the purpose of the this feature? If the user wants to avoid using their ISP's DNS, they can enter any other DNS provider in the system network settings.

        The purpose of this is to allow your browser to send DNS traffic over HTTPS in encrypted/authenticated form to the server.

        You can change it at system level, but on Mac that is annoying if you use a firewall too, since apple don't seem to let you both run a network extension, and use private DNS.

        "Just" changing your DNS IP in network settings doesn't really protect queries from the ISP, since they are plaintext UDP port 53, and some (usually US, I think) networks have been known to just issue their own replies to DNS requests. Resolving via DNS over TLS prevents that kind of meddling.

        It's not an important feature, and it's not needed for feature parity with Safari, but it might be a nice early "beyond Safari" privacy-friendly feature that gets parity with Firefox and Chrome.

        Its something we want to implement for users that want that extra mile. The real question is would WebKit itself allow this functionality directly or the only way would be through creating some kind of provisioning profile that user will then need to enable.

        Quick research unveiled that this incurs a small performance penalty in the range of 30-50ms for DNS requests.

        This page allows to check DoH:
        https://1.1.1.1/help

        • gp replied to this.

          Vlad

          You wouldn't need a provisioning profile (that works on mac at system-level, but only if you don't use Lulu/Little Snitch or similar) to do this within app.

          I don't know the Mac terminology for this, but in Linux/C your DNS resolution is usually handled by glibc, which deals with name resolution. Firefox and Chrome have this as a setting at app level, and that means any name resolution in the app effectively calls a "wrapper" function, which will use DoH if enabled, or pass through to the system otherwise.

          I assume they are using an open source DoH client library, of which there are several.

          There is likely a little bit of overhead, although it should get better in future with DNS over QUIC (https://www-uxsup.csx.cam.ac.uk/pub/doc/internet-drafts/draft-ietf-dprive-dnsoquic-07.html) getting performance nearer to traditional UDP DNS.

          • Vlad replied to this.

              gp

              You wouldn't need a provisioning profile (that works on mac at system-level, but only if you don't use Lulu/Little Snitch or similar) to do this within app.

              Not sure if we are on the same page. My concern was that WebKit simply does not have support for DoH independent of the OS.

                  a month later

                  DNS over HTTPS (DoH) would be a nice addition to a privacy-focused browser. It resolves DNS through an encrypted channel, preventing your ISP from spying on your internet traffic. Chrome and Firefox already support this feature but not Safari.

                  Chrome:

                  Firefox:

                    Cannabat Thanks. I tried searching but found an unrelated post. Guess I didn’t try hard enough.

                    Admins, please merge this post. I’ve upvoted the other one as well.

                        Merged 3 posts from Support DNS over HTTPS for better privacy.
                          5 months later

                          It may also be interesting to give the availability to set up DNS over TLS along DNS over HTTPS. Cloudflare supports both. NextDNS supports both too and over QUIC too.

                            2 months later

                            I'm also hoping this is implemented as well. Would love to be able to use NextDNS on Orion

                              6 months later
                              7 days later

                              <Use a descriptive title! This is what most users will see before upvoting your suggestion. Then, describe your suggestion in detail, including how should it be implemented in Orion and what your expectation is. If relevant, upload screenshots/videos examples for the feature from other browsers.>

                              Hi I would like HTTPS over DNS would be added to Orion and as default

                                Merged 1 post from Https over DNS .
                                  5 months later

                                  I know this is an old thread, but I've been playing around with Orion over the last year on and off or so. Looking for a replacement to Brave and Orion is proving to be faster than Brave. However, a must-have feature is secure DNS, as more and more providers now hijack DNS for one reason or another. This may not happen in the US, but is happening in many countries.

                                  • Vlad replied to this.

                                    Vlad

                                    I suspect that the static DNS in MacOS can be hijacked by some of the more aggressive ISPs, since DNS over 53/UDP is unauthenticated. Some US ISPs (example, another example) have been known to intercept 53/UDP traffic, even not to their own IP addresses, to deliver ads to users.

                                    That's not to say it's a browser's responsibility to fix this (actually hijacking 53/UDP and issuing your own responses as an ISP is the real problem), but simply setting a regular UDP DNS server won't necessarily prevent hijacking, unless I've missed something. UDP is not session oriented, and the DNS protocol lacks any verification method, so an ISP or router can intercept and respond to DNS "undetected". You're then relying on HTTPS to alert you if something goes awry.

                                    You can set a DNS over TLS/HTTPS setting via a mobileconfig profile, but that will not work if you use a (Mac OS integrated) software firewall like littlesnitch or Lulu.

                                    Firefox lets you opt in to DNS over HTTPS as the per-app DNS resolution provider, which can help users escape aggressive ISP hijacking (or just someone who wants to use their own resolver).