Want to evade censorship and protect your privacy? A rough and dirty guide to the DOH system
We don’t really like our ISPs. This is with good reason. Bad network speeds, incorrect billing and much more recently the growing number of blocked websites. We wrote this guide to show how you can stop you telecom operator from snooping on your browsing habits. While this may get a bit technical, bear with us. It is worth a read.
Understanding how ISPs keep a watch over your browsing habits require some knowledge of how Domain Name System (DNS) servers work. DNS services are the phone books of the Internet, providing the actual Internet Protocol (IP) network address associated with websites’ and other Internet services’ host and domain names.
Going beyond VPNs
The most obvious way to dodge monitoring is by using a virtual private network. But while VPNs may conceal the contents of your internet traffic, connecting to them is preceded by a DNS request. Recently there have been reports how Indian ISPs like Jio block DNS level access to VPN services altogether preventing users from connecting to them.
That’s where encrypted DNS protocols such as DNS Queries over HTTPS (DoH) come in. DoH allows your browser to make encrypted DNS queries to resolve domain names, so for instance if you wanted to visit www.streamable.com, your ISP would no longer know what requests your browser made to your DNS service provider.
The Server Name Indication (SNI) extension allows you to host multiple encrypted websites on a single IP address. SNI, however, leaks every site you visit, to your ISP or anyone listening in between. This is where Encrypted SNI (ESNI) comes in.
Setting up the DOH system
CloudFlare, one of the largest networks in the world, teamed up with teams from bigwigs like Apple and Mozilla to launch support for ESNI in 2018. Mozilla shortly came out with support for the ESNI extension shortly after. Mozilla Firefox comes with two privacy oriented features: DoH and TRR (Trusted Recursive Resolver) which is an optional resolver mechanism using a dedicated DoH server.
To set up Mozilla Firefox to utilise DoH, TRR and ESNI, follow these instructions:
- Download the latest version of Mozilla Firefox: https://www.mozilla.org/en-US/firefox/
- Navigate to
about:configusing the address bar in Firefox. You will see the following screen:
Click “I accept the risk!”.
3. Start typing network.security.esni.enabled in the search box. Once it shows up, double-click it to change its value to true.
4. Start typing network.trr.modein the search box and change its value to 2. This makes DoH the browsers first choice but falls back to unencrypted connections where encryption isn’t possible.
5. Test your connection to check if it’s fully encrypted.
ESNI is still in its nascent stage and it’ll be a while before it becomes mainstream. It is a step in the right direction though and hopefully, with the right changes in policy we won’t have to jump through so many hoops to protect our privacy.
We wrote up this short and dirty guide that sprang from a chat over at the IFF Community Slack. We hope his helps everyday internet users in India. This guide is just one way, and others may exist to evade censorship and protect privacy online and hence this is not a product endorsement — it is just a guide to help out others. Make your own judgements and please do look around before using this system. Also, for things to substantially improve we really do need for our net neutrality laws to start getting effectively enforced in India.
Authored by Varun Chopra and Jaskaran Veer Singh
