DNS over HTTPS (DoH) would be a nice addition to a privacy-focused browser. It resolves DNS through an encrypted channel, preventing your ISP from spying on your internet traffic. Chrome and Firefox already support this feature but not Safari.
Chrome:
Firefox:
There is an existing request for this, which looks to need some support: https://orionfeedback.org/d/464-dns-over-https-resolution-as-an-orion-feature-bypassing-system-dns/4
Cannabat Thanks. I tried searching but found an unrelated post. Guess I didn’t try hard enough.
Admins, please merge this post. I’ve upvoted the other one as well.
I made a duplicate post: https://orionfeedback.org/d/1029-support-dns-over-https-for-better-privacy
It may also be interesting to give the availability to set up DNS over TLS along DNS over HTTPS. Cloudflare supports both. NextDNS supports both too and over QUIC too.
I'm also hoping this is implemented as well. Would love to be able to use NextDNS on Orion
<Use a descriptive title! This is what most users will see before upvoting your suggestion. Then, describe your suggestion in detail, including how should it be implemented in Orion and what your expectation is. If relevant, upload screenshots/videos examples for the feature from other browsers.>
Hi I would like HTTPS over DNS would be added to Orion and as default
I know this is an old thread, but I've been playing around with Orion over the last year on and off or so. Looking for a replacement to Brave and Orion is proving to be faster than Brave. However, a must-have feature is secure DNS, as more and more providers now hijack DNS for one reason or another. This may not happen in the US, but is happening in many countries.
anthoj You can set a static DNS in macOS network settings, and this can not be hijacked by anything.
I even have a tool for testing speed of various DNS providers here
https://github.com/vprelovac/dnsperftest
I suspect that the static DNS in MacOS can be hijacked by some of the more aggressive ISPs, since DNS over 53/UDP is unauthenticated. Some US ISPs (example, another example) have been known to intercept 53/UDP traffic, even not to their own IP addresses, to deliver ads to users.
That's not to say it's a browser's responsibility to fix this (actually hijacking 53/UDP and issuing your own responses as an ISP is the real problem), but simply setting a regular UDP DNS server won't necessarily prevent hijacking, unless I've missed something. UDP is not session oriented, and the DNS protocol lacks any verification method, so an ISP or router can intercept and respond to DNS "undetected". You're then relying on HTTPS to alert you if something goes awry.
You can set a DNS over TLS/HTTPS setting via a mobileconfig profile, but that will not work if you use a (Mac OS integrated) software firewall like littlesnitch or Lulu.
Firefox lets you opt in to DNS over HTTPS as the per-app DNS resolution provider, which can help users escape aggressive ISP hijacking (or just someone who wants to use their own resolver).
gp Yeap this is absolutely right. Even a router level static DNS gets hijacked by my ISP, both at home and at work - all ISPs are mandated by my govt to do this, as part of their effort to censor the internet. Reddit, Vimeo, Tumblr, all blocked nationwide.
At home I have Pihole running on a separate machine locally dishing out DNS queries - so this is not a problem. But at work, I have no control over that and I rely on browsers like Brave to access the free internet. I'd rather not use VPN as it can be a hassle with content providers like Netflix.
You are right - it would be best to do this at system level. Mac OS supports that via a .mobileconfig config profile - some examples at https://github.com/paulmillr/encrypted-dns
Unfortunately, the system level DoH stuff doesn't play nice with VPN or application firewall apps (https://github.com/paulmillr/encrypted-dns/issues/13) on Mac OS, so for a lot of people, the system level profile won't really work. People who know what DoH is today are likely running Lulu/Little Snitch or similar, as there will be some overlap in those groups.
Both Chrome and Firefox implement their own DNS resolver (with DNS over HTTPS), seemingly because they want to let users configure this by themselves, and give people the option of DoH (or automatically upgrading to DoH where possible), without relying on the underlying system.
System DoH is certainly the proper way of handling this so I'll just share my use cases that don't fit it.
Business VPN hijacks DNS configuration and now I'm leaking all requests to my company's (or a 3rd-party). I trust them with my business request but unfortunately we all do personal stuff everywhere and having a specific browser with my specific DoH configuration would avoid that.
Many devices, many physical networks, lots of unpredictability with different configs. Having a specific browser I know is using DoH for sure would give me more peace of mind that I'm not inadvertently leaking DNS.
My reason for wanting this is that I have a DNS over HTTPS server and when using Google One's VPN, the server is completely bypassed.
Vlad you seem very dismissive of this request that seems very legitimate. The idea of app level DNS is that it can bypass OS level DNS, for several reasons. For example, due to policies installed on the system. I have seen OSs block domains because they have never seen them before. So if you have jsut created a domain, it will be blocked at the OS level (for example by OpenDNS) until you ask for permission. But whitelisting one off domains is also not good practice.
Since many browsers implement this, I guess my question is, is this very difficult to implement, or does webkit not allow browser level DNS resolution?
