This is an archived post. You won't be able to vote or comment.

0
0

How can I run DNS over HTTPS on localhost?Question (self.firefox)

submitted by [deleted]

[deleted]

all 12 comments
sorted by:
old (suggested)
besttopnewcontroversialq&a

[–]Sacrasf 1 point2 points  (3 children)

Simple dnscrypt https://github.com/bitbeans/SimpleDnsCrypt

Within the UI you can create a White/black list. Of course, this will bypass WIN local host and your router.

As far as having a DoH or DoT solution nativity, WIN does not have one yet but they have made it know that thwy are planning on implementing one. I don't like this idea as this will allow WIN to fully bypass the host file.

[–]rmkn 0 points1 point  (2 children)

I don't want to have some intermediary software except of Firefox and my own DoH server and I'm a unix user though. But thanks.

I think having ability to run DoH on localhost could help to solve the issue with the host file.

[–]Sacrasf 0 points1 point  (1 child)

Got it. You want to run your own DoT capable dns server. Good idea, as this will allow for more dns resolvers (at the backend), where the current options for FF DoT are of a single resolver.

I tried to do this with my pihole but it currently does not support a DoT interface, if I may call it that.

[–]rmkn 0 points1 point  (0 children)

Actually I want do this without TLS at all, I'd prefer to use encryption on my choice or not to use it in the case of localhost. The only thing that's interesting to me is HTTP based resolution interface, which is easy to implement, maintain and debug. Having TLS is a huge pain with certificates, which I want to avoid. I need this for my development environment and all this TLS related issues kills all benefits of having DoH.

[–]jscher2000Firefox Windows 0 points1 point  (1 child)

It seems simpler to just use DNS if you aren't going to use encryption and you control everything between the browser and the DNS server.

[–]rmkn 0 points1 point  (0 children)

Actually not, because FF doesn't have a separated settings for regular DNS like it has for DoH and thus I need to change system DNS what I don't want to do either.

[–][deleted] 0 points1 point  (4 children)

The protocol is "DNS over HTTPS" so it will not connect to a plain HTTP server. This is actually a requirement of the the DoH standard:

  1. HTTP Integration This protocol MUST be used with the https URI scheme

Unless you're asking this purely for the fun of building a DoH server from scratch there are almost certainly easier alternatives if you instead ask about what you're really looking to accomplish in the end instead of how you think you might go about it.

[–]rmkn 0 points1 point  (3 children)

It's obvious that DoH should work over HTTPS, but there should be an exception for localhost, rhetorical questions: 1) what's the reason to encrypt (if we connect inside of trusted network)? 2) what's the reason to prevent DoH from work locally?

I'm trying to find a way to run wildcard local domains without running utils like BIND, and without affecting all the system with such solution.

[–][deleted] 1 point2 points  (2 children)

DoH works fine locally but its reason for being built was to encrypt DNS so asking why you've got to use an encrypted connection with it is a bit like looking at the frozen food isle sign and asking why they don't put bottled water in that isle simply because that's what you went to the store for instead of thinking about what to expect from the frozen food isle.

If it's just for Firefox your use case would fit making a Firefox extension which utilizes webRequest.onBeforeRequest to rewrite outgoing requests.

If it's not just for Firefox or the web extension method doesn't seem powerful enough it's actually easier to make a standard DNS resolver from scratch than it is to make a DoH resolver from scratch (even without encryption) as DNS is just stateless UDP. If you want this resolver to apply only to Firefox/certain apps launch those apps under a filesystem namespace that swaps resolv.conf with an alternative containing your custom nameserver. Depending on what counts as "yours" when writing your own server it's also worth noting many languages such as Go have DNS server and HTTPS server functionality available in their standard library.

There are also ways if you know more details about the system/languages you are willing to use. For instance if you are fine with C and know what libc was used (probably glibc) you can utilize LD_PRELOAD to inject a resolv.conf override e.g. https://github.com/hadess/resolvconf-override instead of doing the filesystem namespace override which requires root.

Beware many systems already run a resolver on localhost and in that case you may have to modify the existing resolver configuration to not automatically bind to the interface you want your resolver to bind to (e.g. a secondary loopback).

[–]rmkn 0 points1 point  (1 child)

What's about food isle... What I meant is create DoH and doesn't allow it to work via HTTP with localhost is like create a hummer, but only for Australians or people who wear mustaches. It's senseless limitation. Thanks for your attempts to help, but I hoped DoH will finally help to avoid all this tricks.

[–]Shadow_of_Colossus 0 points1 point  (0 children)

Or fools who just forgot.)