#dns-over-https — Public Fediverse posts

CachyOS April 2026 update adds fingerprint sudo, DNS over HTTPS, and a new package manager for Linux

https://fed.brid.gy/r/https://nerds.xyz/2026/04/cachyos-april-2026/

Johannes Weber hat mit mir in seinem Podcast über DNS allgemein und DNS-over-HTTPS im Speziellen gesprochen. Das Ergebnis hört ihr hier https://securityasapodcast.de/podcast/05-doh-dns-over-https/

#podcast #DNS #DoH #dnsoverhttps

Vocês usam #DNSoverHTTPS ?
Recomendações para um leigo no assunto?

Stavo leggendo qualcosa relativamente a "DNS over HTTPS".

Da Firefox ci sono tre possibilità, Cloudflare, NextDNS e un provider custom.

Mi piace l'idea di cifrare le richieste DNS da browser ma non vorrei cadere dalla padella alla brace, nel senso che adesso uso i DNS di un provider italiano quindi lato privacy credo di essere sufficientemente protetto e non vorrei finire in mano a un provider straniero che si prende le mie richieste e se le vende.

Cosa ne pensate?

#dnsoverhttps

I have decided to take some #privacy back to my hands. I have implemented selfhosted #dnsoverhttps server and self provisioning profile to my iPhone. It blocks ads providers and trackers similar way as #pihole. #Docker container will be released soon. Stay tuned.

Currently doing some DNS testing via my ISP (Ogi) here in Wales at it seems that at the moment @aaisp has the second fastest DNS over HTTPS resolvers available!

'DNS over HTTPS | Min | Avg | Max |Std.Dev| Median|
----------------+-------+-------+-------+-------+-------+

• Average Delay | 0.012 | 0.014 | 0.015 | 0.001 | 0.013 |
• Cached Name | 0.012 | 0.012 | 0.012 | 0.000 | 0.012 |
• Uncached Name | 0.013 | 0.014 | 0.014 | 0.001 | 0.013 |
• DotCom Lookup | 0.015 | 0.015 | 0.015 | 0.000 | 0.015 |---<-------->---+-------+-------+-------+-------+-------+ https://dns.aa.net.uk/dns-query ANDREWS ARNOLD LTD'

Being a smidgen faster that Quad9 and NextDNS. Not too shabby! 😉🖖

#DNS #UK #DNSoverHTTPS #Internet #Performance #AAISP

@tarnkappeinfo
Hallo,
schöner Artikel - ich habe jedoch ein paar Nachfragen dazu:

* Warum hat Ihr in Eurem Artikel den neuen europäischen DNS-Resolver DNS4EU nicht erwähnt? Gib es bei dem irgendwelche Gründe, die gegen eine Nutzung sprechen?

* Ihr habt hier die Verwendung von DNS over HTTPS beschrieben - gibt es einen Grund DNS over TLS (DoT) _nicht_ zu verwenden?

* Ihr beschreibt nur die Einstellungen für einen Windows 11-Rechner? Keine Beschreibung für das Smart-Phone - egal ob Android oder IOS - für den Betrieb außerhalb des Heimnetzes ... Spricht etwas gegen die Eintragung auf dem Home-Router (z.B. FRITZ!Box) für alle Geräte im Heimnetz?

#DNSoverHTTPS #DNSoverTransportLayerSecurity
#Fritzbox
#Android #IOS

📬 DNS over HTTPS Windows: So geht’s ganz einfach
#Anleitungen #Datenschutz #DNSoverHTTPS #DNSAbfragen #DoHaktivieren #ITSecurity #Verschlüsselung #Windows11 https://sc.tarnkappe.info/e9f23a

🔍😂 Behold the latest tech "innovation": DNS over HTTPS, aka DoH, which promises to hide your browsing secrets. Except, surprise! 🎉 Now, instead of many peepers, only one gets to see all your queries. Truly, a monumental win for privacy—if you're a fan of monopolies. 🙄 #TechLogic #PrivacyFail
https://www.bsdhowto.ch/doh.html #TechInnovation #PrivacyMonopoly #DNSoverHTTPS #BrowsingSecrets #PrivacyConcerns #HackerNews #ngated

Why not use DNS over HTTPS (DoH)?

https://www.bsdhowto.ch/doh.html

#HackerNews #DNSoverHTTPS #DoH #cybersecurity #privacy #technews

Dynamic between DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC, with DNS-over-IP Fallback.

Why pick one, when you can have them all?

https://discourse.nixos.org/t/dynamic-between-dns-over-https-dns-over-tls-dns-over-quic-with-dns-over-ip-fallback/64968

#DNS #Linux #NixOS #Nix #DnsOverHttps #DnsOverTls #DnsOverIp #DnsOverQuic

Как HTTP(S) используется для DNS: DNS-over-HTTPS на практике

HTTPS позволяет реализовать защищённую работу с интерфейсом DNS-резолвера, скрыв состав DNS-трафика, который иначе передавался бы в открытом виде. Это достаточно специальная технология, но она уже стала типовой функцией распространённых веб-браузеров и широко используется. Посмотрим, как это всё работает на практике, но не из браузера, а из консоли, попутно разобрав простейшее DNS-сообщение.

https://habr.com/ru/articles/898138/

#dns #dnsoverhttps #tls #ssl #https #http

Cómo configurar DNS sobre TLS (DoT) con Unbound DNS en OPNsense https://blog.elhacker.net/2024/12/configurar-dns-sobre-tls-dot-unbound-opnsense.html #DNSoverHTTPS #opnsense #tutorial #unbound #manual #dns #DoH #DoT

Bruh I'm still so confused about this - can any #networking people or anyone with #PiHole/#Pi-hole experience chime in and tell if my goal is privacy, and if I were to prioritise one, it'd be better privacy against my ISP, what should I use on my Pi-hole DNS server?

- #Unbound as a recursive DNS server (my interpretation of this route is, it's the best privacy vs 3rd party DNS - but I'm assuming it's the worst privacy vs ISP?)
- Enable #DNS-Over-TLS (#DoT) using Unbound and upstream DNS provider set to something like #Cloudflare
- or Enable #DNS-Over-HTTPS (#DoH) using #Cloudflared

I initially thought you could have Pi-hole run with all three (I have a feeling this a really stupid noob networking moment right here) but I don't think so, no?

Anyway this kind of shit is why we're getting horrible ideas like #DNSoverHTTPS, I really hate ISPs and governments for forcing this into existence ​:koishtare:​

Man I want to get rid of #HTTP2 from my #nginx, but then it will break #DNSoverHTTPS for #Windows ​:TenshMelt:​

Man, if #DNSoverHTTPS is just this simple... ​:sagume_think:​

http://mima.localghost.org/dns/chaotic.ninja/AAAA

#!/bin/sh
if [ $REQUEST_METHOD == "GET" ]
then
    DNS_DOMAIN=$(echo "$QUERY_STRING" |
                 sed -n 's/^.*domain=\([^&]*\).*$/\1/p' |
                 sed "s/%20/ /g")
    DNS_TYPE=$(echo "$QUERY_STRING" |
               sed -n 's/^.*type=\([^&]*\).*$/\1/p' |
               sed "s/%20/ /g")
    [ -z $DNS_TYPE ] && DNS_TYPE=A
    if [ -d "$DNS_DOMAIN" ]
    then
        DNS_STATUS="NOERROR"
        LOCAL_REC="$DNS_DOMAIN/$DNS_TYPE"
        [ -e "$LOCAL_REC" ] && DNS_REC=$(cat "$LOCAL_REC")
    else
        DIG_RESPONSE=$(dig +noall +answer +comments "$DNS_DOMAIN" "$DNS_TYPE")
        DNS_STATUS=$(echo "$DIG_RESPONSE" | grep status | cut -d ':' -f 3 | cut -w -f 2 | cut -d ',' -f 1)
        if [ $DNS_STATUS == "NOERROR" ]
        then
            DNS_ANSWER=$(echo "$DIG_RESPONSE" | grep IN)
            DNS_REC=$(echo "$DNS_ANSWER" | cut -w -f 5-)
            DNS_TTL=$(echo "$DNS_ANSWER" | cut -w -f 2)
        fi
    fi
fi

httpstatus()
{
    case $1 in
        200) httpsemantic="OK";;
        404) httpsemantic="Not Found";;
    esac
    printf "HTTP/1.0 $1 $httpsemantic\r\n"
    echo "Status: $1 $httpsemantic"
}
case $DNS_STATUS in
    "NOERROR")
        if [ ! -z "$DNS_REC" ]
        then
            httpstatus 200
            echo "Cache-Control: private, max-age=$DNS_TTL"
            ANSWER="$DNS_REC"
        else
            httpstatus 404
            ANSWER="NOERROR, but no $DNS_TYPE record"
        fi
        ;;
    "NXDOMAIN")
        httpstatus 404
        ANSWER="$DNS_STATUS"
        ;;
esac

echo "Content-Type: text/plain"
echo
echo "$ANSWER"

upstream dohexperiment {
    server 127.0.0.1:80;
}

[...]

location ~ /dns/(.*)/(.*)$ {
        proxy_pass http://dohexperiment/dns/index.cgi?domain=$1&type=$2;
}
location ~ /dns/(.*[^\/])$ {
        proxy_pass http://dohexperiment/dns/index.cgi?domain=$1;
}

I feel like #DNSoverHTTPS would make a lot more sense if you can do #CRUD with it, kinda like #REST. So for example to get the IPv4 of www.example.com, you'd do a GET /www.example.com/A instead of the current /dns-query?dns= with GET, or god forbid, POST to /dns-query for what's clearly a query (it's in the damn name). The POST should only be used for creating custom #DNS records. And you can DELETE them so the server can return back to querying its upstream when it receives a GET for that domain and record type again.

This would give #DoH an actually useful purpose other than just being a controversial circumvention method marketed as a "privacy feature" that security admins hate. If you somehow got stuck in a terminal which doesn't have dig and UDP is blocked then you can still do DNS queries. And if you have authorization you don't even have to ssh to change some /etc/hosts; just telnet to port 80 or openssl s_client to port 443 and do the editing there!

If any unethical network operator (or government) can disable DoH on clients with a simple DNS flag, then what problem does DoH solve?

It stops you from blocking ads on the DNS level. That's all it was ever supposed to solve.

Disable DoH. Reject DoH.

#dns #adblock #pihole #networking #doh #dnsoverhttps

I wrote a very basic #Ansible playbook to help people set up #PiHole with #DNSOverHTTPS (#DoH) directly installed on a Debian-based host (Raspberry Pi or small VM). It's available on my GitHub repo. I hope you find it useful! #HomeLab #SelfHosted
https://github.com/badnetmask/miscelaneous/tree/main/ansible/pihole-doh

Установка обратного VPN: нет ничего проще

Сейчас многие граждане РФ, которые находятся за границей, испытывают проблемы с доступом к некоторым российским ресурсам . По каким-то причинам несколько десятков российских сайтов запрещают доступ с IP-адресов за пределами РФ. К счастью, эту проблему довольно легко решить, если поднять свой сервер внутри РФ и перенаправить трафик через него. Это так называемый «обратный VPN». В принципе, его можно организовать на любом компьютере на территории РФ, который постоянно находится в онлайне и подключён к местному провайдеру. Как вариант, заказать услугу VPS за полтора доллара — и поднять систему на внешнем хостинге. И всё, считайте, что вы виртуально переехали обратно в РФ.

https://habr.com/ru/companies/ruvds/articles/789692/

#ruvds_статьи #RUVDS #VDS #хостинг_сайтов #VPN_наоборот #обратный_VPN #DNSсервер #Technitium #DNSoverTLS #DNSoverHTTPS #DNSoverQUIC

There should be a way to fill in a secondary server for DNS over HTTPS providers in Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=1563404

#Firefox #DoH #DNSoverHTTPS #missingFeature

📬 Proxy-Trojaner für macOS verbirgt sich in gecrackter Software
#Cyberangriffe #Malware #Szene #CommandandControlServer #DNSoverHTTPS #KasperskyLab #PKGInstallationsprogramm #proxytrojaner #proxyserver #SergeyPuzan #WebSocket https://tarnkappe.info/artikel/it-sicherheit/malware/proxy-trojaner-fuer-macos-verbirgt-sich-in-gecrackter-software-284338.html