47

Firefox and Chrome at least have both implemented this.

Apple supports it at system level since Big Sur or Monterey I believe, but with limited efficacy, since use of network extensions (Lulu, Little Snitch etc.) silently bypasses a provisioning profile DNS over HTTPS setup. It works fine on mobile though.

The suggestion is for Orion to support selection of a DNS-over-HTTPS server, and allow entry of a custom URL. This is good for privacy and security, as it helps users to avoid relying on their ISP DNS. You can also do host-level ad/tracker/malicious content filtering.

Firefox implementation:

A couple of "defaults" are available (if you enable the feature, which is currently default-off, I believe, Cloudflare is the selected default).

And you can enter your own server URL if you like:

  • Vlad replied to this.

    gp What is the purpose of the this feature? If the user wants to avoid using their ISP's DNS, they can enter any other DNS provider in the system network settings.

        The purpose of this is to allow your browser to send DNS traffic over HTTPS in encrypted/authenticated form to the server.

        You can change it at system level, but on Mac that is annoying if you use a firewall too, since apple don't seem to let you both run a network extension, and use private DNS.

        "Just" changing your DNS IP in network settings doesn't really protect queries from the ISP, since they are plaintext UDP port 53, and some (usually US, I think) networks have been known to just issue their own replies to DNS requests. Resolving via DNS over TLS prevents that kind of meddling.

        It's not an important feature, and it's not needed for feature parity with Safari, but it might be a nice early "beyond Safari" privacy-friendly feature that gets parity with Firefox and Chrome.

        Its something we want to implement for users that want that extra mile. The real question is would WebKit itself allow this functionality directly or the only way would be through creating some kind of provisioning profile that user will then need to enable.

        Quick research unveiled that this incurs a small performance penalty in the range of 30-50ms for DNS requests.

        This page allows to check DoH:
        https://1.1.1.1/help

        • gp replied to this.

          Vlad

          You wouldn't need a provisioning profile (that works on mac at system-level, but only if you don't use Lulu/Little Snitch or similar) to do this within app.

          I don't know the Mac terminology for this, but in Linux/C your DNS resolution is usually handled by glibc, which deals with name resolution. Firefox and Chrome have this as a setting at app level, and that means any name resolution in the app effectively calls a "wrapper" function, which will use DoH if enabled, or pass through to the system otherwise.

          I assume they are using an open source DoH client library, of which there are several.

          There is likely a little bit of overhead, although it should get better in future with DNS over QUIC (https://www-uxsup.csx.cam.ac.uk/pub/doc/internet-drafts/draft-ietf-dprive-dnsoquic-07.html) getting performance nearer to traditional UDP DNS.

          • Vlad replied to this.

              gp

              You wouldn't need a provisioning profile (that works on mac at system-level, but only if you don't use Lulu/Little Snitch or similar) to do this within app.

              Not sure if we are on the same page. My concern was that WebKit simply does not have support for DoH independent of the OS.

                  a month later

                  DNS over HTTPS (DoH) would be a nice addition to a privacy-focused browser. It resolves DNS through an encrypted channel, preventing your ISP from spying on your internet traffic. Chrome and Firefox already support this feature but not Safari.

                  Chrome:

                  Firefox:

                    Cannabat Thanks. I tried searching but found an unrelated post. Guess I didn’t try hard enough.

                    Admins, please merge this post. I’ve upvoted the other one as well.

                        Merged 3 posts from Support DNS over HTTPS for better privacy.
                          5 months later

                          It may also be interesting to give the availability to set up DNS over TLS along DNS over HTTPS. Cloudflare supports both. NextDNS supports both too and over QUIC too.

                            2 months later

                            I'm also hoping this is implemented as well. Would love to be able to use NextDNS on Orion

                              6 months later
                              7 days later

                              <Use a descriptive title! This is what most users will see before upvoting your suggestion. Then, describe your suggestion in detail, including how should it be implemented in Orion and what your expectation is. If relevant, upload screenshots/videos examples for the feature from other browsers.>

                              Hi I would like HTTPS over DNS would be added to Orion and as default

                                Merged 1 post from Https over DNS .
                                  5 months later

                                  I know this is an old thread, but I've been playing around with Orion over the last year on and off or so. Looking for a replacement to Brave and Orion is proving to be faster than Brave. However, a must-have feature is secure DNS, as more and more providers now hijack DNS for one reason or another. This may not happen in the US, but is happening in many countries.

                                  • Vlad replied to this.

                                    Vlad

                                    I suspect that the static DNS in MacOS can be hijacked by some of the more aggressive ISPs, since DNS over 53/UDP is unauthenticated. Some US ISPs (example, another example) have been known to intercept 53/UDP traffic, even not to their own IP addresses, to deliver ads to users.

                                    That's not to say it's a browser's responsibility to fix this (actually hijacking 53/UDP and issuing your own responses as an ISP is the real problem), but simply setting a regular UDP DNS server won't necessarily prevent hijacking, unless I've missed something. UDP is not session oriented, and the DNS protocol lacks any verification method, so an ISP or router can intercept and respond to DNS "undetected". You're then relying on HTTPS to alert you if something goes awry.

                                    You can set a DNS over TLS/HTTPS setting via a mobileconfig profile, but that will not work if you use a (Mac OS integrated) software firewall like littlesnitch or Lulu.

                                    Firefox lets you opt in to DNS over HTTPS as the per-app DNS resolution provider, which can help users escape aggressive ISP hijacking (or just someone who wants to use their own resolver).

                                        gp Yeap this is absolutely right. Even a router level static DNS gets hijacked by my ISP, both at home and at work - all ISPs are mandated by my govt to do this, as part of their effort to censor the internet. Reddit, Vimeo, Tumblr, all blocked nationwide.

                                        At home I have Pihole running on a separate machine locally dishing out DNS queries - so this is not a problem. But at work, I have no control over that and I rely on browsers like Brave to access the free internet. I'd rather not use VPN as it can be a hassle with content providers like Netflix.

                                            gp Great, TIL. I am pretty sure that such ISP can be sued to oblivion at least in USA.

                                            It is not clear though why would browser be responsible for any sort of DNS resolution - why not have DNS over HTTPS set at the system level so that all services benefit from it?

                                                Vlad

                                                You are right - it would be best to do this at system level. Mac OS supports that via a .mobileconfig config profile - some examples at https://github.com/paulmillr/encrypted-dns

                                                Unfortunately, the system level DoH stuff doesn't play nice with VPN or application firewall apps (https://github.com/paulmillr/encrypted-dns/issues/13) on Mac OS, so for a lot of people, the system level profile won't really work. People who know what DoH is today are likely running Lulu/Little Snitch or similar, as there will be some overlap in those groups.

                                                Both Chrome and Firefox implement their own DNS resolver (with DNS over HTTPS), seemingly because they want to let users configure this by themselves, and give people the option of DoH (or automatically upgrading to DoH where possible), without relying on the underlying system.

                                                    22 days later

                                                    System DoH is certainly the proper way of handling this so I'll just share my use cases that don't fit it.

                                                    1. Business VPN hijacks DNS configuration and now I'm leaking all requests to my company's (or a 3rd-party). I trust them with my business request but unfortunately we all do personal stuff everywhere and having a specific browser with my specific DoH configuration would avoid that.

                                                    2. Many devices, many physical networks, lots of unpredictability with different configs. Having a specific browser I know is using DoH for sure would give me more peace of mind that I'm not inadvertently leaking DNS.

                                                    4 months later

                                                    My reason for wanting this is that I have a DNS over HTTPS server and when using Google One's VPN, the server is completely bypassed.

                                                      2 months later

                                                      Vlad i cant set at system level because i cant change company dns. doh in broswer can bypass whatever system has.

                                                        3 months later

                                                        Vlad you seem very dismissive of this request that seems very legitimate. The idea of app level DNS is that it can bypass OS level DNS, for several reasons. For example, due to policies installed on the system. I have seen OSs block domains because they have never seen them before. So if you have jsut created a domain, it will be blocked at the OS level (for example by OpenDNS) until you ask for permission. But whitelisting one off domains is also not good practice.

                                                        Since many browsers implement this, I guess my question is, is this very difficult to implement, or does webkit not allow browser level DNS resolution?

                                                        • Vlad replied to this.

                                                            forest9 Yes, difficult to implement and very niche. We have 2000+ open issues that are easier and affect everyone, and a team of three devs. Patience please.

                                                                I get it and I think everyone in this thread also does. We absolutely do not want you to rush or anything, but maybe communicate that in advance, bc from reading this thread, you are making it seem like this is not a valid use case, with "why not just use OS level DNS?". I mean other browsers' devs aren't ignorant to OS level DNS. Somethign can be a valid use case and not be a priority, just say so. You'd be surprised at how understanding users are when you communicate clearly.

                                                                • Vlad replied to this.

                                                                  forest9 Yes, I am expalining why is this not a priority for us. Also note that part of our philosophy is to be a native macOS app, which means respecting the way Apple wants things to be done on macOS. Other browsers are mostly native to Windows (even eith their macOS version) where things are done very differently.

                                                                      4 months later

                                                                      I guess this join the proxy support feature request as implementing this can be done through proxy integration… I would really love such feature proxy/dns support…

                                                                      A lot of browser mimic that feature by just using system wide vpn which is bizarre and not super secure if we don’t want to tunnel everything (like opera or aloha)

                                                                      Frankly adding such feature would be very beneficial for the popularity of the browser because of the uniqueness of its features. And this is far from being a niche feature it all depends on how it is presented… something like “Adguard support” can be more appealing to many.

                                                                      Lastly I understand the phylo of keeping things as apple entend it. But bear in mind that a lot of new features were first added by enthusiast on jailbreak or innovative developers. If something is technically appealing and is not a wrong doing you should go for it like you did with the extensions.

                                                                      One last thing, those who promote the most your product/browser are the geeks and IT passionate that you may consider a niche.

                                                                        3 months later

                                                                        This is the importance of implementing something like this. The second image is Firefox using my NextDNS with DoH, the next image is Orion. I am unable to use DoH or DoT. I have my mac set up with the certificate from NextDNS, I also changed the DNS settings in System Preferences. My router has NextDNS installed. Yet somehow Orion bypasses all of this where none of my other applications do. I would love to see this implemented as I am sure many other people would too. I usually never post on discussion posts so I know there are hundreds of other users who want this feature too but will likely never voice their concerns.

                                                                        Because this feature isn't integrated, Firefox is my default browser, but once this is integrated I will likely change my mind as I prefer zero trackers and am impressed with the rest that orion offers.

                                                                        Until then, the only reason Orion is installed on my computer is to see if DoH is implemented.




                                                                          22 days later

                                                                          I have found the fix if you are using NextDNS. Be sure to add Domain DNS settings in System Settings under Network and then DNS. I would recommend adding both HTTP and TLS URLs from NextDNS. It seems Orion will ignore the IP address DNS settings and opt for the Domain DNS settings. I still can't get the cert to work but that's fine.


                                                                            I also had to install NextDNS via Homebrew

                                                                              No one is typing