Page 2 of 3

Re: DoH (DNS over HTTPS)

Posted: Sun Jan 23, 2022 1:31 am
by rbp
Kelsey et al..

All that you say is true for the majority of Sonic customers that are directly connected to the Sonic network. Like I wish I was. But, alas, I no longer live in California and so ... no luck. I am lucky enough to live in Loveland, CO and we have a local community broadband provider so I have my gigabit fiber. But they are a stripped down operation. They provide a pipe to the internet and that's it. A modem, IP address and good luck.

So I *have* to use a public DNS server. Since I use Sonic for email (I know - my email is encrypted on its way to you) and other things, I would *like* to use Sonic's DNS servers.

But I'm also developing a sense of paranoia, especially as DNS queries are all that leaves my private network unencrypted.

Cloudflare is fastest, although speed doesn't matter much since I'm using pihole and it caches. Right now I'm doing DNS-over-https to Cloudflare since it doesn't seem too reasonable to give google more data than they already get from me.

Anyway, we customers who are not directly connected to Sonic are no doubt in a minority and I get it if supporting DNS over HTTPS for us, or for locally connected people who are traveling is too much effort.

Re: DoH (DNS over HTTPS)

Posted: Fri Feb 02, 2024 6:36 am
by ixo
I recently discovered that Mullvad, a trusted VPN provider, has a free encrypted DNS service that you can use. It’s relatively new, previously the only services that offered encrypted DNS were mostly Cloudflare, and Google, which I don’t really trust as they are aggregating our data and selling it.

https://mullvad.net/en/help/dns-over-ht ... s-over-tls

If I was on Sonic fiber, however, I would not use it as it would not really be needed because of Sonics own great privacy policies.

I think another good option if you’re on Mac is Apple’s , private relay feature, which is included if you have an iCloud paid subscription.

There is also www.NextDNS.io which is also more secure and faster than the free options, but with a small fee.

Re: DoH (DNS over HTTPS)

Posted: Sat Feb 03, 2024 11:21 am
by forumvisitor
It looks like it has been a few years since this question was asked. Mozilla browsers have successfully supported DNS over HTTPS (DoH) since then. However, their default is Cloudflare, where I assume they have made a privacy conscious choice. Personally, as a Sonic customer, I would prefer to continue use Sonic DNS servers and hence be backed by Sonic privacy and security policies.

So, does Sonic have any plans to introduce such a service on their DNS servers, which would greatly help with integration into an operating system? And if so, any idea of the timeline?

Re: DoH (DNS over HTTPS)

Posted: Wed Feb 07, 2024 5:26 pm
by kgc
Actually.... we just haven't said anything. I see no particular advantage to using DoH to these servers vs using traditional DNS protocols since more or less the whole point of DoH is to hide the contents of your DNS queries from the prying eyes of your ISP.

Surprisingly, we see virtually no DoH requests coming in. This may be due to the majority of customer's equipment running caching resolvers and providing themselves as the single DNS server via DHCP. This has the unfortunate result of not picking up Firefox which instead sends all traffic to a cloudflare which pinky swears to not use the data they can glean from it for anything.

I would encourage Firefox users to just go ahead and disable DoH so long as they understand the implication of doing so regarding public WiFi and/or use of VPNs.

Code: Select all

$ dig @50.0.1.1 +https sonic.com

; <<>> DiG 9.18.20 <<>> @50.0.1.1 +https sonic.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38701
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5538d0450d92ae30100000065c42c6cecfa4d728222edba (good)
;; QUESTION SECTION:
;sonic.com.                     IN      A

;; ANSWER SECTION:
sonic.com.              5146    IN      A       184.23.169.173

;; Query time: 3 msec
;; SERVER: 50.0.1.1#443(50.0.1.1) (HTTPS)
;; WHEN: Wed Feb 07 17:20:44 PST 2024
;; MSG SIZE  rcvd: 82

Re: DoH (DNS over HTTPS)

Posted: Thu Feb 08, 2024 8:39 am
by ngufra
There was a very interesting talk last summer at the ietf in San Francisco about user awareness and use of "secure DNS"

slide deck:
https://datatracker.ietf.org/meeting/11 ... rowsers-01

video:
https://youtu.be/K-Lm-RywPX4?si=zdMRKLwpBnO_5sh1&t=4281

Re: DoH (DNS over HTTPS)

Posted: Thu Feb 08, 2024 6:00 pm
by forumvisitor
kgc wrote: Wed Feb 07, 2024 5:26 pm Actually.... we just haven't said anything. I see no particular advantage to using DoH to these servers vs using traditional DNS protocols since more or less the whole point of DoH is to hide the contents of your DNS queries from the prying eyes of your ISP.

Surprisingly, we see virtually no DoH requests coming in. This may be due to the majority of customer's equipment running caching resolvers and providing themselves as the single DNS server via DHCP. This has the unfortunate result of not picking up Firefox which instead sends all traffic to a cloudflare which pinky swears to not use the data they can glean from it for anything.

I would encourage Firefox users to just go ahead and disable DoH so long as they understand the implication of doing so regarding public WiFi and/or use of VPNs.

Code: Select all

$ dig @50.0.1.1 +https sonic.com

; <<>> DiG 9.18.20 <<>> @50.0.1.1 +https sonic.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38701
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5538d0450d92ae30100000065c42c6cecfa4d728222edba (good)
;; QUESTION SECTION:
;sonic.com.                     IN      A

;; ANSWER SECTION:
sonic.com.              5146    IN      A       184.23.169.173

;; Query time: 3 msec
;; SERVER: 50.0.1.1#443(50.0.1.1) (HTTPS)
;; WHEN: Wed Feb 07 17:20:44 PST 2024
;; MSG SIZE  rcvd: 82
There are some scenarios where traditional DNS is problematic, but perhaps you can provide clues as how to overcome those without using Sonic's VPN or wishing for DoH.

I use Sonic's Fibre to Node, which runs over ATT resold lines. As far as I can tell, ATT appears to intercept traditional DNS requests via port 53, so that Sonic servers cannot be reached for address resolution. However, the servers can be pinged. I do not believe the observations below are due to misconfiguration on my part, but that is always possible.

Any request to resolve an address using only 50.0.1.1 or 50.0.2.2 results in failure. I am glad you used dig in your post, because that application is a favorite of mine too. To be fair, I have already informed support previously about this, so you can get more details from them...I am sure they remember. All they could say is that on ATT resold lines, there is nothing they can do about DNS :-) But...like I said, you may provide a clue for readers in other situations here too.

If I have only 50.0.1.1 and 50.0.2.2 for resolving, here is the result I sent support:

Code: Select all

dig -4 wikipedia.org

;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.2.2#53: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -4 wikipedia.org
;; global options: +cmd
;; no servers could be reached
Doesn't look too promising does it? It's ditto for Ipv6 too. If I place ATT's modem gateway IP first (or presumably, any ATT DNS server), then all of a sudden, Wikipedia resolution works just fine...just like in the real world, which is where I guess you are. Without that modem being first, I cannot even start Sonic's VPN, because the provided configuration file tries to resolve ovpn.sonic.net...which does not exist...not without that ATT modem first. But put the VPN aside for now, since not all Sonic customers use it.

I noticed you used dig with +https. Funny enough, I provided Sonic support with an example of that too:

Code: Select all

dig -4 +https wikipedia.org

;; communications error to 50.0.1.1#443: failure
;; communications error to 50.0.1.1#443: failure
;; communications error to 50.0.1.1#443: failure
;; communications error to 50.0.2.2#443: failure

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -4 +https wikipedia.org
;; global options: +cmd
;; no servers could be reached
Definitely, doesn't look inviting either!

For those who don't use dig, they might say I missed the @ sign or I wasn't referring to Sonic's DNS server. To accommodate those, I typed exactly what you used:

Code: Select all

dig @50.0.1.1 +https sonic.co
;; communications error to 50.0.1.1#443: failure
;; communications error to 50.0.1.1#443: failure
;; communications error to 50.0.1.1#443: failure

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @50.0.1.1 +https sonic.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

Hmmm!

Before your post, I was told that DoH was coming to Sonic servers, but not ready yet. I tried it again after your post and got the same results. So if you believe it's working...then it works for you...not me, or perhaps anyone using Sonic's Fibre to node. However, from the Sonic VPN all the above work i.e. the latter two came back with those capital HTTPS entries.

So, back to you encouraging folks to disable DoH? There you mention Cloudflare and it's "pinky". I've got nothing against Cloudflare. I simply say that if I had a choice, it would always be Sonic DNS servers. If I have no choice, then I would pick Cloudflare DNS servers...if you see what I mean :-)

But you could not have missed the point that Firefox only sends to Cloudflare by default when the users explicitly pick "Increased Protection" and they leave the default. There is also an option for NextDNS (who I don't know), and furthermore a Custom field. IP addresses don't work in it, nor should they since it would be limited. But research showed that when Cloudflare is picked, under the covers the field looks like this...and actually accepts this if you paste it there:

Code: Select all

https://mozilla.cloudflare-dns.com/dns-query
I contacted Sonic support again because I could do a test with ipleak.org using that Custom field in the DoH settings, if I had something similar for Sonic and Sonic DoH was working i.e something like:

Code: Select all

https://blah.sonic.net/dns-query
It would have stated categorically whether my reason for posting was worthwhile, if I then saw Sonic servers in ipleak.org. It was only a test, but for unknown reasons support refused to provide anything that could be "looked up and resolved". So, that doorway was closed. They also said that this problem went beyond their support, which which I guess could be considered the final nail. Fortunately, I had been advised previously that folks in the forum might be in a better position to help. And here you are...I hope.

I really thought it might even be useful to let Sonic know of the situation where dig above using +https failed, which means that even Firefox's Custom field with a valid Sonic DNS server might not work either...not for my case. In fact, DoH might simple be just as off the cards as traditional DNS as far as Sonic Fiber to node is concerned. But then again, there are other customers reading this who might still benefit by having their browsers tied to Sonic DNS servers via DoH. And besides, I have the VPN and there all looks great, including fast, efficient and reliable Sonic DNS servers.

Finally, as for your recommendation to turn off Firefox DoH. Well, if I do that, and check with ipleak.org, all ATT servers show up...not Sonic DNS servers. If I use what FF calls "Default Protection", all ATT DNS servers show up there too. The only time I can see any other DNS servers other than ATT's is to use Firefox's "Increased Protection" which has Cloudflare as the default. Then and only then does ipleak.org show other DNS servers, which just happen to be those of Cloudflare. So, it's back to what do you suggest now?

Note, that I am neither promoting FF as a browser nor Cloudflare as a DNS provider, pinky or otherwise. I believe DoH is available in other browsers, or may be in the future, and it can be implemented via the OS outside of the browser to be more effective. If you see alternative scenarios, outside of a VPN, then feel free to let us know.

Re: DoH (DNS over HTTPS)

Posted: Fri Feb 09, 2024 6:51 am
by js9erfan
forumvisitor wrote: Thu Feb 08, 2024 6:00 pm

Code: Select all

dig -4 wikipedia.org

;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.1.1#53: timed out
;; communications error to 50.0.2.2#53: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -4 wikipedia.org
;; global options: +cmd
;; no servers could be reached
Doesn't look too promising does it? It's ditto for Ipv6 too. If I place ATT's modem gateway IP first (or presumably, any ATT DNS server), then all of a sudden, Wikipedia resolution works just fine...just like in the real world, which is where I guess you are. Without that modem being first, I cannot even start Sonic's VPN, because the provided configuration file tries to resolve ovpn.sonic.net...which does not exist...not without that ATT modem first. But put the VPN aside for now, since not all Sonic customers use it.

Without 'digging' too deep and assuming you prefer to use Sonic's vpn service over ATT you could modify the vpn profile. Replace ovpn.sonic.net with IPs (see below). Once the vpn connection is established the server should be pushing their dns to you without having to rely on ATT.

Code: Select all

; <<>> DiG 9.18.16 <<>> ovpn.sonic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60721
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;ovpn.sonic.net.			IN	A

;; ANSWER SECTION:
ovpn.sonic.net.		14373	IN	A	157.131.224.198
ovpn.sonic.net.		14373	IN	A	157.131.224.200
ovpn.sonic.net.		14373	IN	A	157.131.224.199

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Feb 09 06:26:47 PST 2024
;; MSG SIZE  rcvd: 91

Re: DoH (DNS over HTTPS)

Posted: Fri Feb 09, 2024 11:08 am
by forumvisitor
Without 'digging' too deep and assuming you prefer to use Sonic's vpn service over ATT you could modify the vpn profile. Replace ovpn.sonic.net with IPs (see below). Once the vpn connection is established the server should be pushing their dns to you without having to rely on ATT.

Code: Select all

; <<>> DiG 9.18.16 <<>> ovpn.sonic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60721
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;ovpn.sonic.net.			IN	A

;; ANSWER SECTION:
ovpn.sonic.net.		14373	IN	A	157.131.224.198
ovpn.sonic.net.		14373	IN	A	157.131.224.200
ovpn.sonic.net.		14373	IN	A	157.131.224.199

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Feb 09 06:26:47 PST 2024
;; MSG SIZE  rcvd: 91
I am aware of the option, but thanks for providing it to the readers. And I should mention now that the ipleak address should have been entered as https://ipleak.net (i.e. not .org)

As I mentioned in my rather long previous post, the Sonic VPN does save the day...for those who know how to set it up and use it. But my original post regards situations when one is not using the VPN, or does not want to complicate their system by installing it. For those users, having a simple field is the way for them to say I want this or that DNS server to serve for me.

So, the question remains:

What is the lookup DoH https URL that will allow me to use Sonic DNS servers via https?

If there are reasons it cannot be provided at this time, that can be mentioned here. With that URL, there is no need to dig deep into how each user has set up their entire home network, including computers, VPNs, routers and the modem etc. The following becomes child's play:

1. On the webpage where Sonic tells customers the DNS servers to use, mention that there is a DoH URL available for those who need it
2. Prior to using that URL, browse to https://ipleak.net and see what DNS servers show up
3. In the case of Firefox, first (as a test) choose "Increased Protection" in the DoH section of the settings. It will default to Cloudflare
4. Revisit ipleak.net and if Cloudflare shows up as the servers, it works. If not, assume something is misconfigured
5. Finally, if Cloudflare did show up, go back to settings and enter the Sonic DoH URL in the Custom field
6. And now revisit ipleak.net and expect to see Sonic DNS servers

That's it. That scenario gives the entire picture. If those Sonic DNS servers are there, then I would consider Sonic DoH as working for me. If not:

a) Firefox got to wrong, or there's some other setting to change too, or it has a bug, or even it secretly favored its own choices...whatever OR
b) Sonic DoH was probably fine, but something has specifically caused Sonic's DoH not to work and that is likely something that needs to be changed outside the browser

That's why the URL is needed, and folks can use it for any circumstance in which DoH applies i.e. any browser which supports it. Also, when mobile and not on one's home network, who knows what gateway one might need to use. Nowadays, a browser's DNS requests are closely related to both privacy and security. Any gateway that denies that the choice must have a reason. Then perhaps one might limit when and how that gateway is used as one would do for any public network.

Re: DoH (DNS over HTTPS)

Posted: Fri Feb 09, 2024 12:02 pm
by kgc
Sonic's DNS servers are only accessible to our on-network customers. This does not include the ATT wholesale IP Broadband or FTTN products. Running Public recursive DNS servers is not a good idea (unless you choose to be in that business) and all of our customers on ATT's infrastructure are not in isolated networks. The VPN is the only solution here.

As for the URL for DoH, it's simply supported on all of the known IP according to the RFC's. Or, if you will, https://ns1.sonic.net/dns-query and https://ns2.sonic.net/dns-query

Re: DoH (DNS over HTTPS)

Posted: Sat Feb 10, 2024 12:32 pm
by forumvisitor
kgc wrote: Fri Feb 09, 2024 12:02 pm Sonic's DNS servers are only accessible to our on-network customers. This does not include the ATT wholesale IP Broadband or FTTN products. Running Public recursive DNS servers is not a good idea (unless you choose to be in that business) and all of our customers on ATT's infrastructure are not in isolated networks. The VPN is the only solution here.

As for the URL for DoH, it's simply supported on all of the known IP according to the RFC's. Or, if you will, https://ns1.sonic.net/dns-query and https://ns2.sonic.net/dns-query
Great!...you provided the missing piece of the puzzle...for me at least i.e. the HTTPS URLs. I placed one in the Custom field and here are the results.

FTTN with "Increased Protection"
This led to ATT DNS servers as usual, but then I remembered that this setting will fallback to "Default Protection" if there is a problem with the chosen DNS servers. So:

FTTN with "Maximum Protection"

Code: Select all

Possible security risk looking up this domain

Firefox can’t protect your request for this site’s address through our trusted DNS resolver. Here’s why:
Firefox wasn’t able to connect to ns1.sonic.net.

Learn more…

You can continue with your default DNS resolver. However, a third-party might be able to see what websites you visit.
Good thing you pointed out that the servers are only available to on-network customers, otherwise I would have thought that it was being interfered with somehow...but then again Cloudflare worked which seemed to rule that out.

Sonic VPN with "Maximum Protection"
When using the VPN, I normally turn Firefox's protection setting Off, just like you advised, because it's not needed there. But as part of this post, I used the "Maximum Protection" setting while in the VPN to force Firefox to use the URL you provided. And bingo...it worked like a charm.

So, if Sonic was in the business of making their DNS available to the off-network public (just like Cloudflare and NextDNS), then anyone choosing Sonic DoH would get the protection.

However, the downside is the obvious burden on the DNS servers for your own customers. That makes one wonder why those providers would agree to it in their case, which in turn takes me back to your "pinky" comment that Cloudflare "swears to not use the data they can glean from it for anything". I've not read the agreement they have with Mozilla, but I'd bet it doesn't say that. I would guess it's more like they "swear to not sell your data", which is quite a different thing. Anytime I hear that phrase, I hear a little voice saying "Ah...but they didn't say they wouldn't give it away", or in your own words "let someone else glean from it for anything" :-)

So, conclusion is that in my case the VPN is the only way. Basically, Sonic is my ISP. But with the FTTN and similar products, I am not on Sonic's network until I use the VPN. Once I've do that, I can take full advantage of Sonic's services and policies.

Thanks for clarifying the situation so succinctly. Personally, my recommendation is that Sonic customers in situations where the VPN is not available and are connected to whatever third-party gateway happens to be around, should take advantage of DoH. At least you're the one choosing the DNS provider at that point, even if it's not the preferred one.