Hi everyone,
I have been using cloudflared for DNS-over-HTTPS for the past 5 years and it’s been working pretty well. One of the reasons for using it was because my ISP was hijacking my DNS queries and changing it to their own DNS server.
However, I saw this news where the proxy-dns feature in cloudflared is being closed and they are asking customers to shift to their WARP client instead.
I want to know what the community is using for encrypted DNS services (DoH, DoT, DoQ)
Thanks :)
I personally haven’t looked at all but I don’t fully understand doh. How can you have https before DNS? To get my first query I kind of need to validate through DNS records certificate authority for that site? So to even establish doh you need unencrypted DNS or blind trust of IP?
You’ll need a single DNS request, known as a “bootstrap” request. Your ISP will see a single DNS request to Google or Cloudflare or whatever, then everything after that will just look like normal https traffic.
That said, if your ISP is blocking and denying ALL dns requests for some reason (making the bootstrap request impossible), then you could still define the address locally. At that point, though, the ISP is likely blocking the IP addresses, too, so resolving the address is a bit moot.
Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways
You define your dns by IP. you get the cert from that IP and automatically trust it.
The cert for validation the server only validate the hostname. It’s not useful for IP.