Pihole + doh cloudflared + esni?

is it possible to use esni cloudflare with pihole?

From my reading of the ESNI protocol, this is a function provided by a browser, and is completely separate from Pi-Hole.

Request from client > Pi-Hole > Cloudflared > Pi-Hole > client, then IP address from client (browser) to the internet and this is where the SNI is implemented.

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

1 Like

I have set in about: config in firefox beta esni enable and network.trr.mode 5 and test https://www.cloudflare.com/ssl/encrypted-sni/ for esni is negative.
I’ve read that the trr mode setting on 2 can cause a pihole around.
Ideas?

Depending on which TRR mode you select, Firefox may bypass Pi-Hole. Pi-Hole is not acting as a DoH server to the browser, so if you select a DoH mode in Firefox then Pi-Hole won’t see the DNS traffic. Setting this to 5 turns off that feature and sends the DNS traffic to Pi-Hole.

https://wiki.mozilla.org/Trusted_Recursive_Resolver

Ok. So what should I do to pass the test on enryptedsni.com?

I don’t know. We are a Pi-Hole forum and this isn’t a Pi-Hole issue. I would look in the Firefox forums.

Ok. thx ;- )

Well that’s not quite correct. FF could be configured to use a custom DoH server and if Pi-Hole would provide a DoH compliant (http based) API for DoH client requests we could have ESNI and Pi-Hole.

So far I have not found an open issue requesting that feature in the main repo.

1 Like

I have opened an issue in the repo and I was told to use discourse :slight_smile:
I cannot find a thread about implementing DoH. COuld we not use this one?

DoH is for browsers HTTPS.
DoT for all DNS including browers.

DoT is supported by Unbound.

https://en.m.wikipedia.org/wiki/DNS_over_TLS

So you suggest that I use DOT for the communication between my devices and pi-hole?
I see that the community is split on this, but they are inclined more into DoH (for example Mozilla and cloudflare). I also see that, if I use DoT, “the name of the websites that you visit will still be visible in the SNI of your HTTPS traffic, allowing your ISP (and any other intermediary) to view it.”

This is not a thread about DoH or DoT, though. Let’s please stick to @m451 mentioned: " if Pi-Hole would provide a DoH compliant (http based) API for DoH client requests we could have ESNI and Pi-Hole"

If you would like to request a new feature, then open a new thread in Feature Requests as that is where things are tracked. Discussion in this thread is fine but won’t be seen as a request and instead just general discussion.

As for communication between clients and Pi-hole, there really is no need to encrypt things as all communication should take place on local network segments or over VPNs. If you are talking about an open Pi-hole instance that is available to the general public and not secured, well, we don’t support those and there will be no involvement of developers in that kind of discussion.

@DanSchaper Ok, so from local machines there is no need for encryption, I get it. I am also using openVPN when I am exiting my house, so you are right, we should be covered. Can pi-hole provide eSNI (the public key of a server I want to connect) or does pi-hole not deal with public keys at all on a DNS level?

Well, the DNS record is just a TXT record, or might be a new resource type, the whole thing is in draft stage and not in general practice.

I guess there’s a couple of things here:

  1. eSNI is not dependent upon DoH, it works with DoT as well.
  2. eSNI is really only being used by CloudFlare right now, and that’s going to be likely until the draft is finalized and ratified.
  3. If you trust CF with knowing your site visitation habits, then just use CloudFlared and DoH.

It’s a good thing in concept, SNI leaks, but eSNI isn’t done yet and probably wont be for a long time. Once it’s more stable then it becomes easier to devote our limited time to, but while it’s still a moving target and there are other options for users then it’s a really low priority.

In the end, to quote CloudFlare:

If I pass all four tests, am I secure no matter which site I browse?

Not necessarily. Even if you pass all four tests, the domain you are visiting also needs to support these technologies. If the domain you visit doesn’t support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable, even if your browser supports these technologies.

1 Like

This is pretty good analysis, thank you for that. Ok I will be using cloudflared. Hopefully it will be becoming a standard soon. Enjoy your day!