DNS over HTTPS resolution as an Orion feature (bypassing system DNS)

Ggp · Jul 16, 2023

I suspect that the static DNS in MacOS can be hijacked by some of the more aggressive ISPs, since DNS over 53/UDP is unauthenticated. Some US ISPs (example, another example) have been known to intercept 53/UDP traffic, even not to their own IP addresses, to deliver ads to users.

That's not to say it's a browser's responsibility to fix this (actually hijacking 53/UDP and issuing your own responses as an ISP is the real problem), but simply setting a regular UDP DNS server won't necessarily prevent hijacking, unless I've missed something. UDP is not session oriented, and the DNS protocol lacks any verification method, so an ISP or router can intercept and respond to DNS "undetected". You're then relying on HTTPS to alert you if something goes awry.

You can set a DNS over TLS/HTTPS setting via a mobileconfig profile, but that will not work if you use a (Mac OS integrated) software firewall like littlesnitch or Lulu.

Firefox lets you opt in to DNS over HTTPS as the per-app DNS resolution provider, which can help users escape aggressive ISP hijacking (or just someone who wants to use their own resolver).

Aanthoj · Jul 17, 2023

gp Yeap this is absolutely right. Even a router level static DNS gets hijacked by my ISP, both at home and at work - all ISPs are mandated by my govt to do this, as part of their effort to censor the internet. Reddit, Vimeo, Tumblr, all blocked nationwide.

At home I have Pihole running on a separate machine locally dishing out DNS queries - so this is not a problem. But at work, I have no control over that and I rely on browsers like Brave to access the free internet. I'd rather not use VPN as it can be a hassle with content providers like Netflix.

Vlad · Jul 17, 2023

gp Great, TIL. I am pretty sure that such ISP can be sued to oblivion at least in USA.

It is not clear though why would browser be responsible for any sort of DNS resolution - why not have DNS over HTTPS set at the system level so that all services benefit from it?

Ggp · Jul 18, 2023

Vlad

You are right - it would be best to do this at system level. Mac OS supports that via a .mobileconfig config profile - some examples at https://github.com/paulmillr/encrypted-dns

Unfortunately, the system level DoH stuff doesn't play nice with VPN or application firewall apps (https://github.com/paulmillr/encrypted-dns/issues/13) on Mac OS, so for a lot of people, the system level profile won't really work. People who know what DoH is today are likely running Lulu/Little Snitch or similar, as there will be some overlap in those groups.

Both Chrome and Firefox implement their own DNS resolver (with DNS over HTTPS), seemingly because they want to let users configure this by themselves, and give people the option of DoH (or automatically upgrading to DoH where possible), without relying on the underlying system.

gtirloni · Aug 9, 2023

System DoH is certainly the proper way of handling this so I'll just share my use cases that don't fit it.

Business VPN hijacks DNS configuration and now I'm leaking all requests to my company's (or a 3rd-party). I trust them with my business request but unfortunately we all do personal stuff everywhere and having a specific browser with my specific DoH configuration would avoid that.
Many devices, many physical networks, lots of unpredictability with different configs. Having a specific browser I know is using DoH for sure would give me more peace of mind that I'm not inadvertently leaking DNS.

Mmehul · Dec 15, 2023

My reason for wanting this is that I have a DNS over HTTPS server and when using Google One's VPN, the server is completely bypassed.

Llxychn · Feb 27, 2024

Vlad i cant set at system level because i cant change company dns. doh in broswer can bypass whatever system has.

Fforest9 · May 31, 2024

Vlad you seem very dismissive of this request that seems very legitimate. The idea of app level DNS is that it can bypass OS level DNS, for several reasons. For example, due to policies installed on the system. I have seen OSs block domains because they have never seen them before. So if you have jsut created a domain, it will be blocked at the OS level (for example by OpenDNS) until you ask for permission. But whitelisting one off domains is also not good practice.

Since many browsers implement this, I guess my question is, is this very difficult to implement, or does webkit not allow browser level DNS resolution?

Vlad · Jun 3, 2024

forest9 Yes, difficult to implement and very niche. We have 2000+ open issues that are easier and affect everyone, and a team of three devs. Patience please.

Fforest9 · Jun 4, 2024

I get it and I think everyone in this thread also does. We absolutely do not want you to rush or anything, but maybe communicate that in advance, bc from reading this thread, you are making it seem like this is not a valid use case, with "why not just use OS level DNS?". I mean other browsers' devs aren't ignorant to OS level DNS. Somethign can be a valid use case and not be a priority, just say so. You'd be surprised at how understanding users are when you communicate clearly.

Vlad · Jun 4, 2024

forest9 Yes, I am expalining why is this not a priority for us. Also note that part of our philosophy is to be a native macOS app, which means respecting the way Apple wants things to be done on macOS. Other browsers are mostly native to Windows (even eith their macOS version) where things are done very differently.

moon-cacke · Oct 16, 2024

I guess this join the proxy support feature request as implementing this can be done through proxy integration… I would really love such feature proxy/dns support…

A lot of browser mimic that feature by just using system wide vpn which is bizarre and not super secure if we don’t want to tunnel everything (like opera or aloha)

Frankly adding such feature would be very beneficial for the popularity of the browser because of the uniqueness of its features. And this is far from being a niche feature it all depends on how it is presented… something like “Adguard support” can be more appealing to many.

Lastly I understand the phylo of keeping things as apple entend it. But bear in mind that a lot of new features were first added by enthusiast on jailbreak or innovative developers. If something is technically appealing and is not a wrong doing you should go for it like you did with the extensions.

One last thing, those who promote the most your product/browser are the geeks and IT passionate that you may consider a niche.

Johnmen · 26 Jan

This is the importance of implementing something like this. The second image is Firefox using my NextDNS with DoH, the next image is Orion. I am unable to use DoH or DoT. I have my mac set up with the certificate from NextDNS, I also changed the DNS settings in System Preferences. My router has NextDNS installed. Yet somehow Orion bypasses all of this where none of my other applications do. I would love to see this implemented as I am sure many other people would too. I usually never post on discussion posts so I know there are hundreds of other users who want this feature too but will likely never voice their concerns.

Because this feature isn't integrated, Firefox is my default browser, but once this is integrated I will likely change my mind as I prefer zero trackers and am impressed with the rest that orion offers.

Until then, the only reason Orion is installed on my computer is to see if DoH is implemented.

Johnmen · 17 Feb

I have found the fix if you are using NextDNS. Be sure to add Domain DNS settings in System Settings under Network and then DNS. I would recommend adding both HTTP and TLS URLs from NextDNS. It seems Orion will ignore the IP address DNS settings and opt for the Domain DNS settings. I still can't get the cert to work but that's fine.

Johnmen · 18 Feb

I also had to install NextDNS via Homebrew