Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[neil]

for android users it is available from google.

https://security.googleblog.com/2022/07/dns-over-http3-in-android.html
DNS-over-HTTP/3 in Android
July 19, 2022

In Android 9.0, we announced the Private DNS feature, which uses DNS-over-TLS (DoT) to protect DNS queries when enabled and supported by the server. Unfortunately, DoT incurs overhead for every DNS request. An alternative encrypted DNS protocol, DNS-over-HTTPS (DoH), is rapidly gaining traction within the industry as DoH has already been deployed by most public DNS operators, including the Cloudflare Resolver and Google Public DNS. While using HTTPS alone will not reduce the overhead significantly, HTTP/3 uses QUIC, a transport that efficiently multiplexes multiple streams over UDP using a single TLS session with session resumption. All of these features are crucial to efficient operation on mobile devices.

[XGS_Is_On]

How to enable DNS over QUIC in openwrt router? I have dns over https.
And will it be able to bypass firewall filtering? At ISP or country level?

Depends. The changes to treat QUIC in the same manner as HTTP are software so firewalls that are purely software-based will be fine. Firewalls that make use of specific hardware to accelerate things get a little more complex.

Where businesses have decrypted their users' TLS sessions to view the contents there's no reason why they couldn't continue to do so. Most of the heavy lifting there is done by the AES-NI instructions in CPUs.

Filtering by ISPs or nation states will continue to use a combination of DNS snooping, IP address lookups and deep packet inspection to read the certificate the server presents. There are ways to hide the identity of the site you're visiting however filtering can just block these and force your session to fall back to a method allowing them to snoop at least which server you're accessing.

https://mitmproxy.org/ already has support for QUIC including the roaming capability.

[Chrysalis]

You make a good point Weaver in how things would be if networking was been designed today as a fresh start with the knowledge we have now, you are likely right I think the packets would be much bigger.

Of course the challenges of upgrading network technology is explained well in the video, they couldnt make QUIC its own standalone protocol as it would take a decade for middle boxes to catch up and be compatible as was the case with tcp fast open.  So a very clever idea for it to piggy back on UDP something thats established and should be allowed by middle boxes.  Every now and then on communities I see firewall rules that get posted that aim to block invalid combination of packets, I expect QUIC would violate some of those rules.  But those arent standard rules configured by default on any devices.