I’ve just conducted a first experiment with DNS over HTTPs and it seems to be working fairly well. Normally this sends you off to somewhere like Cloudflare and is a waste of time. BUT, it seems that FireFox (at least on the Armbian release) has realized folks don’t like that kind of loss of control.
So it has a way to set where you want those “only inside the browser” DNS inquiries to be sent. AND there’s a DNS provider who claims to keep them private while blocking ads.
So I tested it. Seems to work.
This site has the DNS server info, and a tab on configuring FireFox:
When using your Mac or PC (windows or linux), all the ads, trackers, malware, Google services, etc.. you encounter will be from your browser. The fastest and most efficient way in this case is to configure your browser to use secure DNS. Firefox is privacy friendly and it has native support for DNS over HTTPS (DoH). This works on any Mac or PC with Firefox:
1. Open Firefox Preferences to access Firefox settings.
2. In the settings search bar, type DNS and search.
3. Click Settings that comes up in the search results.
4. Scroll down in the settings menu to the DNS over HTTPS section. Check the box next to Enable DNS over HTTPS to enable it.
5. Select Custom for the Use Provider option.
6. In the Custom input field, put the DeCloudUs DoH server info provided. Click OK to apply settings.
The “info provided” is obtusely put in a box up near the top of the page where you get to go back and figure that out (when they could have just said “Put THIS here”…) What you paste in is: https://dns.decloudus.com/dns-query
Then there’s another setting to prevent “fallback” to regular DNS should the DoH give no result. I likely didn’t need to do this as my default DNS is already blocking things, but did it anyway.
Note: sometimes Firefox may still show major Google user sites such as “www.google.com” and “www.youtube.com”; however, other Google domains ads, malware, etc.. will be effectively blocked.
In order to ensure Firefox will not fallback to default network DNS because some sites are blocked, you have to change Firefox configuration setting to no fallback:
1. Load about:config in the Firefox address bar.
2. Click to confirm that you will be careful if the warning page is displayed.
3. Search for network.trr.mode and double-click on the name.
4. Set the value to 3 to make DNS Over HTTPS the browser’s default DNS resolver with no fallback.
Which is a lot easier than it looks.
SO, OK, did that. The test?
First I did a lookup of hunting bow on Google. Deliberately telling them “Hey, this guy wants to look at bows!” and clicked on pick a good bow link:
Then I went to Field and Stream and launched an article about bows.
Where you would expect to see Amazon pushing a bow at me, I had:
as a space marker…
So next I relaunched a Field and Stream top level URL. Again got “ADVERTISEMENT” text, but no ads.
Launching several other, usually add ridden sites, there was a noticeable lack of ads.
Note that the direct Google Search page will still put up their ad links in the top of the search results (as they control that). Clicking on them gave me a “can’t get there from here” about the google ad sites (though I can’t say for sure if it was the browser or my regular DNS blocking preventing that from working – all I can really say is my Squid Server said “Can’t get there from here”. That needs more testing.)
So, overall, I’m pretty impressed. I do need to do more testing away from my infrastructure of protection. But at a first glance, it seems to be working. It is certainly very easy to set up.
I’m a little more partial to Chromium for videos, but the occasional ad sneaks through (Embedded in the video I think, maybe. Some popup boxes at the bottom are just wire frame as the DNS ad block has caught them, others get text so PiHole doesn’t know to block them yet.) But so far Chromium does not let you set the DoH server value. This may start being an issue once that “upgrade” hits my computer OS level…
For now, the newer FireFox does have DoH, and it is nice to know that I have a choice of either pointing it at “OFF” and using my PiHole DNS protection, or this other option of public blocking DNS. Nice that.
Unfortunately, my Tablet is now old enough that updates / upgrades are scarce, so unlikely I can get a new enough FireFox for it to test away from home. (Probably about time to dust off those old “how to install Linux” on it directions…)
If anyone without a home DNS can do a few tests of this, it would be nice to have some confirmation that it really really is doing what it seems to be doing, blocking ads and not letting info about DNS queries leak.
Until then, I’m kind of enjoying the idea that I’ve bifurcated my DNS traffic with this part of it hidden from my Telco ;-) While I ought to have an encrypted DNS for the upstream from my PiHole build, I don’t know that I’ve done that. It was a long while ago… So next on my list of “Things To Do in DNS Land” is check on what it takes to set or confirm it has encrypted upstream too …
But doing this in the browser was way easier than setting up your own ad blocking DNS servers…