Menu
What's new
By:
Filters Better Search

DoT vs. DoH

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Authority

Authority

Senior Member
I understand why RMerlin doens't like DoH as a network admin. I also understand why Google and Firefox use DoH, not because it's better, but simply because a browser can't use DoT.

What I didn't realize that DoT was lower latency, making me rethink using DoH. I wonder why NextDNS chose DoH for their CLI client?

This was very informative. https://www.dnsfilter.com/blog/dns-over-tls/
 
NextDNS chose DoH because of how they designed their infrastructure. Their infrastructure poorly favors DoT, while highly favoring DoH connections. (It is because of bias implementation).
 
I need some clarification, does the NextDNS Merlin client use DoH only or does it also use DoT?
 
NM, found my answer.

www.snbforums.com

NextDNS Installer

^^^ "Even the dry-run involves up to 10 requests per client which can be very significant when the entire release population updates." :( That certainly could be part of the RCA on the churn and instability I've seen on what was a very reliable NextDNS setup. I still especially do not like...
www.snbforums.com www.snbforums.com
 
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
 
Smokey613 said:
Would the NDNS client bypass an ISP’s attempt to intercept and redirect DNS queries?
Click to expand...
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp still knows what you are doing though.
 
SomeWhereOverTheRainBow said:
Most likely because the isp will not be able to manipulate or know where the dns traffic is mixed up in all that https muck. The risk comes from who sees your traffic on the inside of that https muck. Your isp is still knows what you are doing though.
Click to expand...
I am thinking of installing it on a neighbors ac86u to solve the aforementioned isp dns issue. I already installed Merlin on it.
 
If you encrypt your SNI, you would be looking at different circumstances because it would become hard for the isp to know what is going on, but they have their ways still such as reverse lookups on the ip addresses of sites you visit.
 
Last edited:
Encrypted SNI is a fairly new technology that isn't really widespread yet.
 
RMerlin said:
Encrypted SNI is a fairly new technology that isn't really widespread yet.
Click to expand...

Authority said:
Hasn’t Cloudflare been encrypting SNI since 2018?
Click to expand...
An experimental implementation of using Firefox+Dnscrypt-proxy2 built in DoH server features uses ESNI which takes advantage of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
Instructions on setting it up are on their wiki as follows.
github.com

Local DoH

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy
github.com github.com
This is not a full encryption though since only limited sites support it (i.e. sites running on cloudflare servers.)
 
Authority said:
Hasn’t Cloudflare been encrypting SNI since 2018?
Click to expand...

You need it supported at both ends, both the server and the browser. On the server side it's almost never supported because it's not supported yet by the most commonly used TLS stack (OpenSSL).

Client-wise, I believe Firefox is the only one that supports it, and again at a beta stage.

I believe the protocol is still at a draft stage.
 
as an unbound user, I'd like to know if the auth DNS servers it goes to when an URL isn't found in the cache are DoT capable. And how to verify that, or point my rDNS to those that are in preference to those that aren't; the setup at my DNS shouldn't be insurmountable, and it would be likely the best of both worlds - anything that goes out is encrypted, just as anything that comes in should be. (these security/privacy issues are fascinating)...I'm going to pop over to the unbound thread and ask the big brains there...
 
You must log in or register to reply here.

Similar threads

M
DoH using NextDNS CLI and OpenVPN (ProtonVPN) with PBR - Can it be done?
Replies
1
Views
2K
eibgrad
eibgrad
R
Enabling DNS-over-TLS (DoT) is now allowing a flood of ads through
Replies
8
Views
9K
ankhazam
A
C
N00bs need simple page with outdated stuff & working stuff. Also simple commonly used phrases only people following Merlin for years understand :D
Replies
16
Views
2K
gattaca
G
Voxel
Custom firmware build for R7800 v. 1.0.2.66.1SF/1.0.2.66.2SF (for testing)
Replies
14
Views
4K
Gar
Gar
L&LD
RT-AC68U, RMerlin 380.59 firmware, Fibre and IPv6. A beautiful combo.
Replies
4
Views
3K
Skirk
S
Similar threads
Thread starter Title Forum Replies Date
L Suggestion: DNS Director, add optional compatibility with DOT Asuswrt-Merlin 2
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
CaptnDanLKW VPN Stays connected but Stops Routing after DoH Change Asuswrt-Merlin 2
X Prevent client auto DoH Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 791 (members: 32, guests: 759)
Top