pfsense 2.5 Configuring cloudflare family for DNS over TLS Issue with Encrypted SNI
-
Hi have followed the guide https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html for configuring pfsense 2.5 for DNS over TLS using cloudflare (1.1.1.3). Everything seems to be working except when i test at https://www.cloudflare.com/en-gb/ssl/encrypted-sni it shows and X for Encrypted SNI.
Is this an issue? how do i fix it?
-
esni or replacement ech (encrypted client hello) is a browser thing.. Would have nothing to do with the dns being encrypted over tls or not.
-
@johnpoz Ah good, thought i missed configured something.
-
You do understand without esni or ech (esni is dead already really)..
Just because you hide the dns from your evil isp, they still see where you going via the sni the browser sends to the https server they are talking to via the ip they got from your hidden from the man dns query.
Without esni or ech, hiding your dns queries from your isp is to be honest exercise in futility. Your isp can really easy see what whatever.domain.tld your going to.. Along with the IP, and if the IP is not on some CDN serving 1000s and 100s of thousands of sites - its not difficult to know exactly where your going. Even if using esni or ech
But what you do end up doing is handing over everywhere you go to whatever dns service your forwarding to, be it encrypted or not.
Since going to a website is a specific handshake between the client and the server, support for encryption of what site you actually want via the sni in the https handsake will depend on the server your going to supporting that.. Doesn't matter if you encrypt the dns query or not.
