Summarizer

I guess one of the interesting things I learnt off this article(1) was that 7% of DNS query types served by 1.1.1.1 are HTTPS and started wondering what HTTPS query type was as I had only heard of A, MX, AAAA, SPF etc... Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself. (1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...

It’s also how browsers detect a website supports HTTP3. Browsers will request it just to check if they should connect to an https:// URL via HTTP3 (though they generally don’t block on it - they fallback to HTTP1/2 if it takes too long).

> It’s also how browsers detect a website supports HTTP3 It's one way, but a H1/H2 connection can also be promoted to H3 via the alt-svc header. The DNS method is slightly better though since it potentially allows a client to utilize H3 immediately from the first request.

Caddy supports it, and has quite a bit written about it: https://caddyserver.com/docs/automatic-https#encrypted-clien...

Caddy has supported it for several months now, although I do agree most the requests are in fact Cloudflare.

Wait, so you do not leak the host through DNS with this? I have not checked it out yet.

Encrypted DNS has existed for quite a while now through DNS over HTTPS, the missing link was that to connect to a website, you first had to send the server the hostname in plaintext to get the right public key for the site. So someone listening on the wire could not see your DNS requests but would effectively still get the site you connected to anyway. The new development (encrypted client hello) is you no longer have to send the hostname. So someone listening in the middle would only see you connected to an AWS/etc IP. This will make blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.

In principle, it means you could run multiple sites from the same IP and someone intercepting traffic to that IP (but not the client’s DNS path) couldn’t tell what site each connection was to. It mostly makes sense for CDNs, where the same IP will be used for many sites. If you don’t use a CDN at all, the destination IP leaks what site you’re trying to connect to (if the domain is well known). If you use a CDN without ECH, you send an unencrypted domain name in the HTTPS negotiation so it’s visible there. ECH+CDN is an attempt to have the best of both worlds: your traffic to the site will not advertise what site you’re connecting to, but the IP can still be shared between a variety of sites. It’ll be interesting to see how countries with lighter censorship schemes adapt - China etc. of course will just block the connection.

Even for China so-called "overblocking" where to censor a small thing you have to block a much larger thing, is a real concern with these technologies. There's a real trade here, you have to expend effort and destroy potential and in some cases the reward isn't worth it. You can interpret ECH as an effort to move the ratio, maybe China was willing to spend $5000 and annoy a thousand people to block a cartoon site criticising their internal policies, but is it willing to sped $50 000 and annoy a ten thousand people? How about half a million and 100K people ?

My read is you still leak the host with DNS. This only prevents leaking the host with SNI. A useful piece but not at all the holy grail.

Adguard Home and others can be configured to complete your DNS requests over HTTPS (using, for example, https://dns.cloudflare.com/dns-query ).

That's not what this is about. HTTPS is the name of a protocol, which is mostly used to make the World Wide Web work, but we do lots of other things with it, such as DNS-over-HTTPS aka DoH. However HTTPS is also the name of a type of DNS record, this record contains everything you need to best reach the named HTTPS (protocol) server, and this is the type of record your parent didn't previously know about In the boring case, say, 20 years ago, when you type https://some.name/stuff/hats.html into a web browser your browser goes "Huh, HTTPS to some.name. OK, I will find out the IPv4 address of some.name, and it makes a DNS query asking A? some.name. The DNS server answers with an IPv4 address, and then as the browser connects securely to that IP address, it asks to talk to some.name, and if the remote host can prove it is some.name, the browser says it wants /stuff/hats.html Notice we have to tell the remote server who we hope they are - and it so happens eavesdroppers can listen in on this. This means Bad Guys can see that you wanted to visit some.name. They can't see that you wanted to read the document about hats, but they might be able to guess that from context, and wouldn't you rather they didn't know more than they need to? With the HTTPS record, your web browser asks (over secure DNS if you have it) HTTPS? some.name and, maybe it gets a positive answer. If it does, the answer tells it not only where to try to connect, but also it can choose to provide instructions for a cover name to always use, and how to encrypt the real name, this is part of Encrypted Client Hello (or ECH) Then the web server tells the server that it wants to talk to the cover name and it provides an encrypted version of some.name. Eavesdroppers can't decrypt that, so if many people share the same endpoints then eavesdropper can't tell which site you were visiting. Now, if the server only contains documents about hats, this doesn't stop the Secret Hat Police from concluding that everybody connecting to that server is a Hat Pervert and needs to go to Hat Jail. But if you're a bulk host then you force such organisations to choose, they can enforce their rules equally for everything (You wanted to read News about Chickens? Too bad, Hat Jail for you) or they can accept that actually they don't know what people are reading (if this seems crazy, keep in mind that's how US Post worked for many years after Comstock failed, if you get a brown paper package posted to you, well, it's your business what is in there, and your state wasn't allowed to insist on ripping open the packaging to see whether it is pornography or communist propaganda)

https://en.wikipedia.org/wiki/DNS_over_HTTPS

> so if many people share the same endpoints then eavesdropper can't tell which site you were visiting. Which is why it is so important/useful to Cloudflare but of much lower utility to most nginx users.