Support DOH for Sailfish

Hi.
DNS is known to be quite old technology and that it can compromise our communications.
I think it would be a good idea to incorporate a support for DOH (DNS over HTTPS), as a security plus for the system. There are already several dns services that support this new dns standard, and among them is the famous google (8.8.8.8)

Document:
https://tools.ietf.org/html/rfc8484

2 Likes

I would expect that upstream libraries should support this, before thinking about implementing this. Does glibc support DoH already, or are there plans? I see there is NSS-TLS, but I am not sure if that is the right way to go.
Also, are there Linux distro’s that implement this as a client systemwide? Like Fedora or SuSE?
I understand your interest, but I don’t expect Sailfish to become a forerunner here.

I get it.
On Linux I have only found support for DoT (DNS over TLS), but I have read that the security fails a bit.
Another method would be for the browser to support it natively like Chrome and Mozilla currently do.

Link:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https

There is also the option to use dnscrypt-proxy, but in the last version of sailfishOS it froze th cell phone after restarting the phone, specifically it happened when entering the unlock code. I think he must have some conflicts with Connman.

I would prefer this to be opt-in though. I trust my local DNS provider a lot more than US based centralized DNS servers (google, cloudflare) typically used by DoH implementations, and even though I do run my own DoH server nowadays I wouldn’t want the default to be for all my dns traffic to be routed to the USA.

8 Likes

I’ve used Keweon DNS, if you want to give it a try… https://forum.xda-developers.com/android/software-hacking/keweon-privacy-online-security-t3681139
Instructions for SF are a little different… Just convert crt to a person, and copy to cert directory, then create a real resolv confirm file, and use chattr to save it from overwrite.
(I know some people are sketched out by private DNS, but just a thought…)

  • edit - seems like SF uses real resolv conf file in /etc now, (used to be symlink to connman), so just copy cert, change DNS servers, and run update-ca-cert command…
    (I know that changing DNS is not the same as using DOH, but it’s just a possible security alternative, and Keweon has made some progress with DOH, so may be a way to do it on SF…)
1 Like

Prefer DoT over DoH.
Also, I agree with @gmc. Centralization and monopolization is bad.

4 Likes

I have a 4G router which doesn’t allow me to configure my preferred DNS servers and would like to configure encrypted DNS also on SailfishOS.

  • Android has Settings → Internet → Advanced → Private DNS where a hostname for DNS over TLS can be entered. It defaults to automatic meaning it will attempt to connect to the DHCP DNS servers over DoT and in failure case downgrades to plain DNS.
  • iOS allows enabling either DNS over TLS or DNS over HTTPS through configuration profiles.

The solution on SailfishOS I would like to see would be a mix of both, beginning by DNS over TLS opportunistic mode but allowing advanced user to set either DoT hostname or DoH endpoint in Settings. I think this would simultaneously avoid centralisation and allow advanced users pick an DoH endpoint for themselves, I would use DoH to avoid DoT being generally blocked in public networks.

1 Like

I think this request may have became more timely with many ISPs in European Union starting to censor DNS lookups to domains associated with Putin. While I don’t support him, I wonder how easy it is to slip into censoring other domains.

An example of this is rt.com with Elisa.fi 4G:

2 Likes