8000 DNS over HTTPS · bromite/bromite Wiki · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

DNS over HTTPS

Jump to bottom
Carl edited this page Apr 12, 2022 · 4 revisions

DNS-over-HTTPS (DoH) is enabled by default in opportunistic mode (same as upstream Chromium); it is advised to choose a provider instead in order to use explicit mode.

Enable DoH from Settings -> Privacy -> Use Secure DNS -> Choose another provider and then enter one or more space-separated DoH template URLs.

If the URL contains {dns} then GET requests will be issued (otherwise the default are POST requests).

List of some public resolvers (in no specific order and with no endorsement):

  • AdGuard: https://dns.adguard.com/dns-query
  • Cloudflare: https://cloudflare-dns.com/dns-query
  • Google: https://dns.google/dns-query
  • Quad9: https://9.9.9.9/dns-query

8000 A more extensive list is maintained by the DNS Privacy Project: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers

Verify

You can verify your current active DNS resolver with:

https://www.dnsleaktest.com

Limitations

  • DoH does not use the custom proxy configuration
  • DoH will uses regular DNS queries to bootstrap the DoH resolution itself

Bromite-specific features

  • secure mode is enabled by default
  • Bromite will honour DoH configuration and disable fallback to Android system DNS even when system DNS configuration is inconsistent (see DNS internals below)
  • the User-Agent, Accept-Language and brotli compression HTTP headers are not passed to avoid user information leak

DNS internals

Some notes about how DNS works internally in Chromium/Bromite.

  • Chromium/Bromite will always use the Android system DNS as a fallback and browser starts in such (implicit) configuration state
  • SystemDnsConfigChangeNotifier::Core will trigger OnConfigChanged when system DNS changes
  • under some circumstances (e.g. /system/etc/hosts insufficient file permissions) this trigger never happens, thus DnsClient::system_config_ will never be set by the SetSystemConfig call and in such cases browser will be in an inconsistent state
  • this inconsistent state causes DoH initialisation to not succeed because there is no valid system DNS configuration (see DnsClient::BuildEffectiveConfig() which returns early in case there is no DnsClient::system_config_)
  • the inconsistent state (browser running without ever seeing a valid system DNS configuration) persists until browser is restarted; queries will actually succeed because Android's DNS is used anyways as a fallback

Since 100.0.4896.83 Bromite always respects DoH configuration even when system DNS configuration is inconsistent (see also: https://github.com/bromite/bromite/issues/1960)

History

  • introduced in version 67.0.3396.88
  • was available as a flag until version 78.0.3904.114
  • became available upstream since version 86.0.4240.66
  • added workaround for system DNS issue in version 100.0.4896.83
Clone this wiki locally
0