X
Tocca qui per la versione per piattaforma mobile del sito.

Forum di supporto

Enable ESNI without DoH?

S
Inserita

I'd like to enable ESNI. However, I can't seem to do this without enabling DoH on FireFox, which bypasses my DNS filter at home (which also uses DoH). Is there any way I can get ESNI enabled without DoH on FireFox? Thanks!

I'd like to enable ESNI. However, I can't seem to do this without enabling DoH on FireFox, which bypasses my DNS filter at home (which also uses DoH). Is there any way I can get ESNI enabled without DoH on FireFox? Thanks!
Citazione

Dettagli aggiuntivi sul sistema

Applicazione

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0

Ulteriori informazioni

RobertJ
  • Top 10 Contributor
155 soluzioni 1619 risposte

Hi S, I'm pretty sure that it's the same in Mac as in Windows -

Type (or paste) about:config in the address bar and press Enter/Return(?) Click "Accept the Risk and Continue" in the search bar enter network.security.esni.enabled double-click the entry line to toggle it's value to True (or use the Toggle button at the right)

While your there, check your DoH setting. Enter network.trr.mode in the search bar, and check that the value is set to: 0 = Off (default). use standard native resolving only (don't use TRR at all) 5 = Off by choice. This is the same as 0 but marks it as done by choice and not done by default (forced Off)

Other settings: 2 = Use TRR first, and only if the name resolve fails use the native resolver as a fallback (This is the DoH setting used in Network Settings) 3 = Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)

See: MozillaWiki - Trusted Recursive Resolver https://wiki.mozilla.org/Trusted_Recursive_Resolver

Hi S, I'm pretty sure that it's the same in Mac as in Windows - Type (or paste) about:config in the address bar and press Enter/Return(?) Click "Accept the Risk and Continue" in the search bar enter network.security.esni.enabled double-click the entry line to toggle it's value to True (or use the Toggle button at the right) While your there, check your DoH setting. Enter network.trr.mode in the search bar, and check that the value is set to: 0 = Off (default). use standard native resolving only (don't use TRR at all) 5 = Off by choice. This is the same as 0 but marks it as done by choice and not done by default (forced Off) Other settings: 2 = Use TRR first, and only if the name resolve fails use the native resolver as a fallback (This is the DoH setting used in Network Settings) 3 = Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set) See: MozillaWiki - Trusted Recursive Resolver https://wiki.mozilla.org/Trusted_Recursive_Resolver
È stato utile questo messaggio? 0
Citazione

Utente che ha posto la domanda

Yes, I have enabled the ESNI setting in about:config. However, I wish to leave trr.mode as set to 0, so that my own DNS filtering will continue to work. Leaving DoH disabled also seems to break ESNI, as web tests show ESNI is disabled.

Yes, I have enabled the ESNI setting in about:config. However, I wish to leave trr.mode as set to 0, so that my own DNS filtering will continue to work. Leaving DoH disabled also seems to break ESNI, as web tests show ESNI is disabled.
È stato utile questo messaggio?
Citazione
RobertJ
  • Top 10 Contributor
155 soluzioni 1619 risposte

You're right. It's probably because ESNI is a Cloudflare design. Unless you have Cloudflare set as your TRR, ESNI fails. You can double-check me by going to your Network Settings at the bottom of the Options -> General page and setting the DoH provider to NextDNS and testing again.

You're right. It's probably because ESNI is a Cloudflare design. Unless you have Cloudflare set as your TRR, ESNI fails. You can double-check me by going to your Network Settings at the bottom of the Options -> General page and setting the DoH provider to NextDNS and testing again.
È stato utile questo messaggio?
Citazione
RobertJ
  • Top 10 Contributor
155 soluzioni 1619 risposte

From Cloudflare:

"Encrypted SNI

The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy.

Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.

All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default."


So, ESNI will only work with domains on Cloudflare, anyway.

From Cloudflare: "Encrypted SNI The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy. Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet. All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default." So, ESNI will only work with domains on Cloudflare, anyway.
È stato utile questo messaggio?
Citazione
Richiedi supporto

Bisogna accedere al proprio account per rispondere nelle discussioni. Se non si possiede ancora un account, inserire una nuova richiesta.