Support DOH for Sailfish

Hi.
DNS is known to be quite old technology and that it can compromise our communications.
I think it would be a good idea to incorporate a support for DOH (DNS over HTTPS), as a security plus for the system. There are already several dns services that support this new dns standard, and among them is the famous google (8.8.8.8)

Document:
https://tools.ietf.org/html/rfc8484

I would expect that upstream libraries should support this, before thinking about implementing this. Does glibc support DoH already, or are there plans? I see there is NSS-TLS, but I am not sure if that is the right way to go.
Also, are there Linux distro’s that implement this as a client systemwide? Like Fedora or SuSE?
I understand your interest, but I don’t expect Sailfish to become a forerunner here.

I get it.
On Linux I have only found support for DoT (DNS over TLS), but I have read that the security fails a bit.
Another method would be for the browser to support it natively like Chrome and Mozilla currently do.

Link:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https

There is also the option to use dnscrypt-proxy, but in the last version of sailfishOS it froze th cell phone after restarting the phone, specifically it happened when entering the unlock code. I think he must have some conflicts with Connman.

I would prefer this to be opt-in though. I trust my local DNS provider a lot more than US based centralized DNS servers (google, cloudflare) typically used by DoH implementations, and even though I do run my own DoH server nowadays I wouldn’t want the default to be for all my dns traffic to be routed to the USA.

4 Likes

I’ve used Keweon DNS, if you want to give it a try… https://forum.xda-developers.com/android/software-hacking/keweon-privacy-online-security-t3681139
Instructions for SF are a little different… Just convert crt to a person, and copy to cert directory, then create a real resolv confirm file, and use chattr to save it from overwrite.
(I know some people are sketched out by private DNS, but just a thought…)

  • edit - seems like SF uses real resolv conf file in /etc now, (used to be symlink to connman), so just copy cert, change DNS servers, and run update-ca-cert command…
    (I know that changing DNS is not the same as using DOH, but it’s just a possible security alternative, and Keweon has made some progress with DOH, so may be a way to do it on SF…)

Prefer DoT over DoH.
Also, I agree with @gmc. Centralization and monopolization is bad.

2 Likes