DNS over HTTPS resolution as an Orion feature (bypassing system DNS)

anthoj

gp Yeap this is absolutely right. Even a router level static DNS gets hijacked by my ISP, both at home and at work - all ISPs are mandated by my govt to do this, as part of their effort to censor the internet. Reddit, Vimeo, Tumblr, all blocked nationwide.

At home I have Pihole running on a separate machine locally dishing out DNS queries - so this is not a problem. But at work, I have no control over that and I rely on browsers like Brave to access the free internet. I'd rather not use VPN as it can be a hassle with content providers like Netflix.

Vlad

gp Great, TIL. I am pretty sure that such ISP can be sued to oblivion at least in USA.

It is not clear though why would browser be responsible for any sort of DNS resolution - why not have DNS over HTTPS set at the system level so that all services benefit from it?

gp

Vlad

You are right - it would be best to do this at system level. Mac OS supports that via a .mobileconfig config profile - some examples at https://github.com/paulmillr/encrypted-dns

Unfortunately, the system level DoH stuff doesn't play nice with VPN or application firewall apps (https://github.com/paulmillr/encrypted-dns/issues/13) on Mac OS, so for a lot of people, the system level profile won't really work. People who know what DoH is today are likely running Lulu/Little Snitch or similar, as there will be some overlap in those groups.

Both Chrome and Firefox implement their own DNS resolver (with DNS over HTTPS), seemingly because they want to let users configure this by themselves, and give people the option of DoH (or automatically upgrading to DoH where possible), without relying on the underlying system.

lxychn

Vlad i cant set at system level because i cant change company dns. doh in broswer can bypass whatever system has.

forest9

Vlad you seem very dismissive of this request that seems very legitimate. The idea of app level DNS is that it can bypass OS level DNS, for several reasons. For example, due to policies installed on the system. I have seen OSs block domains because they have never seen them before. So if you have jsut created a domain, it will be blocked at the OS level (for example by OpenDNS) until you ask for permission. But whitelisting one off domains is also not good practice.

Since many browsers implement this, I guess my question is, is this very difficult to implement, or does webkit not allow browser level DNS resolution?

Xytronix

Vlad Looking forward for DoQ and DoH to be implemented.

I see it a browser priority as it increases the speed and privacy searching the web.
DoQ is currently unsupported by the native resolver.

Some apps tend to break while setting it across the system and I want to seperate my work- and personal traffic.
Orion implementing this feature would give me total peace of mind.

Features of DoQ:

Faster Performance
• QUIC runs over UDP, not TCP.
• It reduces latency by eliminating the need for TCP handshakes and slow TLS negotiation.
• It supports 0-RTT resumption, meaning reconnecting can be near-instantaneous.
Connection Multiplexing (No Head-of-Line Blocking)
• Unlike TCP (used in DoT/DoH), QUIC allows multiple requests to be sent and responded to in parallel over one connection.
• If one query is delayed or lost, others continue — no blocking.
Built-in Encryption
• QUIC is encrypted by design (TLS 1.3 is built-in), so it’s inherently private.
• DoQ has less overhead compared to DoH, which wraps DNS in HTTPS.
Better for Mobile and Unstable Networks
• QUIC is designed to handle packet loss and network changes more gracefully (e.g., switching from Wi-Fi to mobile data).
• This makes it ideal for mobile and roaming users.
More Efficient Than DoH
• DoH uses HTTPS, which can introduce unnecessary overhead for simple DNS queries.
• DoQ is purpose-built for DNS, making it lighter and faster.

gtirloni

System DoH is certainly the proper way of handling this so I'll just share my use cases that don't fit it.

Business VPN hijacks DNS configuration and now I'm leaking all requests to my company's (or a 3rd-party). I trust them with my business request but unfortunately we all do personal stuff everywhere and having a specific browser with my specific DoH configuration would avoid that.
Many devices, many physical networks, lots of unpredictability with different configs. Having a specific browser I know is using DoH for sure would give me more peace of mind that I'm not inadvertently leaking DNS.

mehul

My reason for wanting this is that I have a DNS over HTTPS server and when using Google One's VPN, the server is completely bypassed.

Vlad

forest9 Yes, difficult to implement and very niche. We have 2000+ open issues that are easier and affect everyone, and a team of three devs. Patience please.

forest9

I get it and I think everyone in this thread also does. We absolutely do not want you to rush or anything, but maybe communicate that in advance, bc from reading this thread, you are making it seem like this is not a valid use case, with "why not just use OS level DNS?". I mean other browsers' devs aren't ignorant to OS level DNS. Somethign can be a valid use case and not be a priority, just say so. You'd be surprised at how understanding users are when you communicate clearly.

Vlad

forest9 Yes, I am expalining why is this not a priority for us. Also note that part of our philosophy is to be a native macOS app, which means respecting the way Apple wants things to be done on macOS. Other browsers are mostly native to Windows (even eith their macOS version) where things are done very differently.

moon-cacke

I guess this join the proxy support feature request as implementing this can be done through proxy integration… I would really love such feature proxy/dns support…

A lot of browser mimic that feature by just using system wide vpn which is bizarre and not super secure if we don’t want to tunnel everything (like opera or aloha)

Frankly adding such feature would be very beneficial for the popularity of the browser because of the uniqueness of its features. And this is far from being a niche feature it all depends on how it is presented… something like “Adguard support” can be more appealing to many.

Lastly I understand the phylo of keeping things as apple entend it. But bear in mind that a lot of new features were first added by enthusiast on jailbreak or innovative developers. If something is technically appealing and is not a wrong doing you should go for it like you did with the extensions.

One last thing, those who promote the most your product/browser are the geeks and IT passionate that you may consider a niche.

Johnmen

This is the importance of implementing something like this. The second image is Firefox using my NextDNS with DoH, the next image is Orion. I am unable to use DoH or DoT. I have my mac set up with the certificate from NextDNS, I also changed the DNS settings in System Preferences. My router has NextDNS installed. Yet somehow Orion bypasses all of this where none of my other applications do. I would love to see this implemented as I am sure many other people would too. I usually never post on discussion posts so I know there are hundreds of other users who want this feature too but will likely never voice their concerns.

Because this feature isn't integrated, Firefox is my default browser, but once this is integrated I will likely change my mind as I prefer zero trackers and am impressed with the rest that orion offers.

Until then, the only reason Orion is installed on my computer is to see if DoH is implemented.

Johnmen

I have found the fix if you are using NextDNS. Be sure to add Domain DNS settings in System Settings under Network and then DNS. I would recommend adding both HTTP and TLS URLs from NextDNS. It seems Orion will ignore the IP address DNS settings and opt for the Domain DNS settings. I still can't get the cert to work but that's fine.

Johnmen

I also had to install NextDNS via Homebrew

daveio

Sorry if this adds spam, I'm not sure how to upvote this, but I really want this.

Browser-level DoH is crazy useful for me in configuring https://controld.com for my clients.

This is a blocker to rolling Orion out beyond just me.

« Previous Page