Sonic.net

Is DoH being supported by Sonic yet?

Cloudflare's 1.1.1.1 DNS service uses DoH.

The short answer is no and a slightly longer answer is that I would recommend that anyone using Firefox disable DoH and use Sonic's assigned servers. DNS latency and reliability is a critical part of perceived performance - it's physically impossible to get lower latency than to our name server clusters. I can also guarantee that we will never have or will inspect or profile anyone's DNS traffic beyond what is strictly necessary to ensure quality of service (DoS tracking and bulk performance analytics). Firefox's position makes sense if you believe that all ISPs are bad actors. :/

There's some additional discussion of DOH over in this thread. viewtopic.php?f=13&t=13652

kgc wrote:The short answer is no and a slightly longer answer is that I would recommend that anyone using Firefox disable DoH and use Sonic's assigned servers. [ ... ] Firefox's position makes sense if you believe that all ISPs are bad actors. :/

You are, of course, correct that Sonic-local DNS servers will out-perform HTTPS requests to Cloudflare or whoever. However, I wonder if you're missing the larger philisophical issue that Mozilla is attempting to address. DoH doesn't mean you distrust your ISP -- DoH means you no longer have to. (It also means you don't have to trust your firewall vendor, or whoever's running the open WAP at your coffee shop.)

Personally, I think it causes more problems than its solves. DNS is hierarchically distributed and relatively resistant to disruption, whereas DoH creates single points of failure, and high-value targets for disruption and infiltration. Also: There's no guarantee that Cloudflare will never be forced into the hands of a hedge fund who will instantly turn around and start selling query data.

DNS could definitely be more secure, but the primary problem is the actors. Frankly, it seems to me much of the issue could be solved by the FCC treating DNS lookups the same as telephone records -- private to the subscriber, availble to third parties only upon court order.

In any case, you may care to explore setting up an experimental DoH server exclusively for Sonic subscribers, partly as a goodwill gesture, and partly to see what resources that would require.

ewhac wrote:In any case, you may care to explore setting up an experimental DoH server exclusively for Sonic subscribers, partly as a goodwill gesture, and partly to see what resources that would require.

There's no particular advantage unless we make them public - something that I'm reluctant to do. What would be great is if Firefox and others allowed some simple configuration rules - like "if OS DNS servers are set to 208.201.224.11/.33 use them, if not, use DoH Provider X".

I don't have anything against DoH except for the fact that it's going to be turned on by default and should be implemented at the OS level, not in the browser.

Something come to mind.

I am on Fusion service, resold by ATT. Anyone know if ATT could have monitor my DNS traffic? I am under the expectation that it could happen since the traffic go through ATT's last mile until reach Sonic network....

I have a local DNS resolver setup and point to Sonic's DNS resolver, but no DNSSEC.

Am I just been too paranoia?

The latest version of Firefox seems to allow for the configuration of the DNS over HTTPS setting in order to use custom DNS servers:



I apologize for the naive question (I only have a superficial understanding of DoH), but why do you say:

kgc wrote:There's no particular advantage unless we make them public

Is there no advantage for Sonic customers if we could enable DoH to Sonic's own DNS?

I too would be in big favor of Sonic offering a DOH provider, as I trust Sonic dearly. <3

I'm now running a DoH server on Sonic's network in their datacenter. See this post for a bit more background and DNSCrypt info: viewtopic.php?f=10&t=16976&p=58055#p58055

I'm a Sonic colocation customer (I have servers running in Sonic's datacenter in Santa Rosa) but am not affiliated with Sonic.

The DoH server address is: https://resolver4.dns.openinternet.io/dns-query

Since it is not run or controlled by Sonic, you have to trust me as your provider. The resolver does not log in any way, and uses Sonic's recursive DNS resolvers to resolve names (by way of me). Sonic only sees my server IP address for queries routed through the server. I've long been a supporter of encrypted DNS and have run DNSCrypt servers for many years.

After an initial experimentation period, I'll add the server to the public resolver list: https://github.com/DNSCrypt/dnscrypt-re ... solvers.md (the DNSCrypt server is already listed there).

Please feel free to use this and try it out if you want to use a DoH server on the Sonic network. This is a public resolver and you can be on any ISP to use it. I make no guarantees about uptime, so make sure to have a failover option or use a client that can randomize your DNS queries across multiple providers/servers (e.g. dnscrypt-proxy).

Also a word to the wise...encrypted DNS doesn't mean privacy (especially if you're a Sonic Fiber/DSL customer). When using encrypted DNS, plenty of advertisers/marketers/trackers will still follow you all over the web and know who you are. In addition to encrypted DNS, investigate tracker blocking for all your devices. Soon I'll run a public DoH/DNSCrypt server that will also filter out trackers. Plenty of them already exist as well.

rlc3 wrote:The latest version of Firefox seems to allow for the configuration of the DNS over HTTPS setting in order to use custom DNS servers:

I apologize for the naive question (I only have a superficial understanding of DoH), but why do you say:

kgc wrote:There's no particular advantage unless we make them public

Is there no advantage for Sonic customers if we could enable DoH to Sonic's own DNS?

As a Sonic Fiber or DSL customer, there's no particular advantage because if you trust Sonic as your ISP and are already using their DNS servers, then you already have inherently private and fast DNS. While your DNS queries aren't encrypted over the wire, they never leave Sonic's network and Sonic doesn't do anything nasty with your DNS queries.

Making it public would mean that you could use Sonic's DNS servers off-network (e.g. on Comcast or Fusion IP Broadband, Sonic's resold AT&T service) which would be a good service to provide, but there are already a number of decent public DoH servers that are trustworthy and have good privacy policies.

That's some of my reasoning anyway.