Does Technitium support Encrypted Client Hello (ECH) for resolving DNS lookups?

[victor-marino]

Hi!

I'm using my Raspberry as an HTTP proxy for the devices in my LAN by running Privoxy on it.

The proxy works fine. However, because DNS resolutions are now performed by the system-wide Pi resolver (rather than Firefox/Chrome), they no longer stay encrypted with ECH towards Cloudflare servers. As a result, my ISP can now see my DNS requests again, block certain pages, etc.

Can I use Technitium to solve this issue?

I have installed it on my Raspberry and enabled the settings that looked relevant (DNS over HTTPS, etc.). But DNS requests sill seem to get leaked to my ISP, as blacklisted websites are still getting blocked when using the Pi as an HTTP proxy.

If Technitium doesn't yet support ECH, is there any other way I could solve this issue?

Thanks!

[ShreyasZare]

Thanks for the post. ECH is a feature that works between the web browser and the web server, so your local DNS is not really in the picture.

ECH feature works only when the web browser is configured to use DNS-over-HTTPS (DoH) since its required by ECS that the client uses encrypted DNS protocol to ensure that the DNS requests are secure. When you remove DoH config from web browser, it cannot know that your DNS requests are secure anymore and thus it wont attempt to connect with ECH at all.

The only solution for this is to enable DoH with your web browser. You can configure Technitium DNS Server to enable DoH service and use that with your web browser but, you will need a domain name and have to configure SSL cert for the DoH service.

[victor-marino]

Thanks, an excuse my ignorance about this.

When you remove DoH config from web browser, it cannot know that your DNS requests are secure anymore and thus it wont attempt to connect with ECH at all.

So when I set Firefox to use an HTTP proxy (instead of a direct connection), I'm implicitly disabling DoH as well?

The only solution for this is to enable DoH with your web browser.

As far as I know it is enabled, and it works well when NOT using an HTTP proxy. But from your response, I understand in order to not break this chain when using a proxy, I would now need to establish "trust" between my web browser and the proxy, right? That's why I would need my raspberry to have a real domain name and an SSL certificate attached to it, which my browser would check to confirm authenticity.

Am I getting it right?

[ShreyasZare]

Thanks, an excuse my ignorance about this.

ECS is very new tech so I guess not everyone has much experience with it including me.

So when I set Firefox to use an HTTP proxy (instead of a direct connection), I'm implicitly disabling DoH as well?

I am not really sure about proxy and DoH interaction with Firefox. Although, it would be better if you use SOCKS5 proxy and then keep the "Proxy DNS when using SOCKS v5" unchecked and see if it uses DoH.

As far as I know it is enabled, and it works well when NOT using an HTTP proxy. But from your response, I understand in order to not break this chain when using a proxy, I would now need to establish "trust" between my web browser and the proxy, right?

Ya, this is since when using a proxy, the domain name is not resolved by the web browser but is sent as-is to the proxy. So, the browser is not really resolving the domain name and is delegating that task to the proxy server itself. In that case, it wont use ECH at all.

I am not sure if using SOCKS5 with the above mentioned option unchecked will make the browser use DoH though. Only testing it once will make it clear. You can try that option with public DoH server and see if your requests are being sent over DoH using something like Wireshark.

That's why I would need my raspberry to have a real domain name and an SSL certificate attached to it, which my browser would check to confirm authenticity.

With a domain name and SSL config setup, you can run DoH and use it with web browser to enable ECH. But again, it may not work when using proxy and only some testing will ensure if it works with SOCKS5.

[ShreyasZare]

I just tested SOCKS5 with "Proxy DNS when using SOCKS v5" option unchecked and DoH enabled. Firefox is using DoH and then using SOCKS5 proxy to connect. So ECH should technically work with this config. Do test with your setup.

[victor-marino]

Thanks so much!

I'm currently using Privoxy as proxy, which I believe only supports HTTP/HTTPS and not SOCKS. I'll do some research and see if I can find any tools that can create a SOCKS proxy instead so I can give this a try.

You don't happen to know of any such tools, do you? (I haven't done a thorough search just yet)

[ShreyasZare]

You don't happen to know of any such tools, do you? (I haven't done a thorough search just yet)

Not aware of any such tool. Try asking the author of Privoxy to add SOCKS5 support. Or find any SOCKS5 proxy that chains to another HTTP proxy.