Jump to content
Not connected, Your IP: 3.90.108.129
NoClipMode

ANSWERED DNS over HTTPS - Is it even needed anymore when using AirVPN?

Recommended Posts

I use DNS over HTTPS (DoH) with Firefox, and i also use Simple DNSCrypt on Windows 10 for DoH, so that all DNS traffic is encrypted. I use the Cloudflare 1.1.1.1 DNS for both methods.
So i have a few questions about this because i've no idea if i should be using DoH anymore...

Does using DNS over HTTPS compromise AirVPN's privacy/security in any way? 

If i'm using AirVPN is there even any point in using DoH any more? For example, i'm guessing that AirVPN will no longer use my ISP's DNS and will also use DNS encryption, making DoH pointless? And i noticed that when connected to AirVPN it overrides the DNS settings of Simple DNSCrypt anyway.

Lastly, should i disable DoH in Firefox? Because it seems to still be connecting to 1.1.1.1 even when i'm using AirVPN.

Share this post


Link to post
8 hours ago, NoClipMode said:

Does using DNS over HTTPS compromise AirVPN's privacy/security in any way? 


No, it'll be usual encrypted traffic over OpenVPN.
 
8 hours ago, NoClipMode said:

If i'm using AirVPN is there even any point in using DoH any more?


If you use 1.1.1.1, yes, because the OpenVPN encryption is only active between you and the OpenVPN server, and anything beyond it remains "normal", e.g., DNS will still be unencrypted, HTTPS still encrypted, etc.
If you use AirDNS, DNS over HTTPS might be overkill. :)
 
8 hours ago, NoClipMode said:

Lastly, should i disable DoH in Firefox? Because it seems to still be connecting to 1.1.1.1 even when i'm using AirVPN.


How do you control it in Firefox? I briefly searched about:config for "DNS", "crypt", "secure" and "https" but didn't find anything relevant. 😮

Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Thanks for the help!
So to be clear, will my ISP be able to see what sites i visit if i just use AirVPN? It sounds like they can't if encryption is active between me and the OpenVPN/AirVPN server? I only really care about that part in regards to DoH, because in my country the ISP keeps logs of every site people visit for an entire year.
 
17 minutes ago, giganerd said:
How do you control it in Firefox? I briefly searched about:config for "DNS", "crypt", "secure" and "https" but didn't find anything relevant. 😮

In Firefox go to about:config and:
1. Search for "network.trr.bootstrapaddress" and change the value to 1.1.1.1
2. Search for "network.trr.mode" and change the value to 3 (this will force DoH, and a value of 2 will use regular DNS as a fallback)
3. Search for "network.trr.uri" and set the value to https://mozilla.cloudflare-dns.com/dns-query

Then you can go to https://1.1.1.1/help to see if it's working :)

Share this post


Link to post
14 hours ago, NoClipMode said:

will my ISP be able to see what sites i visit if i just use AirVPN? It sounds like they can't if encryption is active between me and the OpenVPN/AirVPN server?


Encryption is always on, therefore, no, they can't. :) Unless you suffer from a DNS leak, of course.

I've seen these options in a Firefox release but not in Waterfox (what I'm currently using). The latter is supposed to have feature parity with the newest Firefox release but it clearly doesn't. 😠

Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post
7 hours ago, giganerd said:
I've seen these options in a Firefox release but not in Waterfox (what I'm currently using). The latter is supposed to have feature parity with the newest Firefox release but it clearly doesn't. 😠

Yeah i noticed that too, it's why i stopped using Waterfox because it seems to be a little behind with new features. But ideally it would be best if DoH was supported in the router firmware although literally no routers support it yet. But Android Pie has DNS over TLC (DoT) built in to the OS, which practically does the same thing ,,,But i prefer DoH, because DoT uses it's own dedicated port, which means it can be blocked.

Share this post


Link to post

The only real problem with DNS over HTTPS I'm seeing right now is that it can lead to a centralization of the web (to some extent at least). If only a few providers offer it (Google and Cloudflare, to name a few big ones), and therefore everyone is using them, there will be no diversity. We know what Google does with DNS requests while Cloudfront at least has got the benefit of the doubt right now with their "privacy is key", "we don't care what sites we protect with our DDoS protection" attitude. It can change and then we resolve our queries at a malevolent, central location, which contradicts the design of the current internet a bit.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

DNSCrypt is not a standard of IETF. DoH is.
Define your own scope, a standard protocol with internet giants, or a non-standard one with volunteers.
The end case is the same, they are both end-to-end encrypted, so you are safe from your ISP/VPN, just
decide which party you prefer to trust more. Personally I go with a Torified DoH everywhere in Qubes.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...