Not affiliated with Waterfox at all, but I am a user, and this seems like great news for me.
Sidetrack: I really wish OS vendors would support DNS over TLS (and maybe DoH, I just prefer the former).
I understand that on a LAN the router is typically acting as the DNS server but I don’t see why the OS couldn’t be smart enough to automatically detect DNS over TLS on the standard port when overriding the DNS settings manually.
Typo, you mean DoH at some point in your comment.
Corrected, thanks 👍
deleted by creator
I can’t speak to Android but all of those require running some DNS recursive resolver locally then pointing the OS resolver to it. While I do that already, it doesn’t really address the issue I’m getting at: the OS doesn’t natively support it.
On macOS/iOS I use a
.mobileconfigfile to point to my Dockerized DNS over TLS resolver in the cloud and it works great, but why do I need to do that rather than use the “normal” DNS preferences? Command line tools still revert to the DHCP DNS server so on macOS I run unbound to take care of that.For Linux, I’m mainly running a Raspberry Pi on Alpine Linux with unbound as well; it works great for DHCP clients that get pointed to it but (especially if this were some company LAN) all the DNS queries are still going over the LAN unencrypted.
Microsoft has put DNS over TLS in Windows 11 a bit over a year ago. This is how you enable it:
netsh dns add global dot=yes netsh dns add encryption server= dothost=: autoupgrade=yes ipconfig /flushdnsThe GUI for the DNS settings only offers a field for DoH, though. Personally, I think that’s actually the superior option if it’s used with ODoH, but DoT is still built in just in case.
On Linux, systemd supports it if you enable it in
/etc/systemd/resolved.conflike this:[Resolve] DNS=1.1.1.1 1.0.0.1 FallbackDNS=8.8.8.8 8.8.4.4 Domains=~. #LLMNR=no #MulticastDNS=no DNSSEC=yes DNSOverTLS=yes #Cache=yes #DNSStubListener=yes #ReadEtcHosts=yesAndroid will try to use a secure DNS server if it can find one by default, but will use the DNS server you provide in the setting (Settings > Network and Internet > Private DNS).
Between Windows, Android, and Linux supporting DoT, I think it’s not all that bad. I don’t own anything remotely recent from Apple so I can’t tell you how macOS and iOS deal with DoT, but it seems to me like the rest of the operating systems all come with native DoT implementations.
As for your RPi: you can configure your DNS server to both provide DoT+DoH with a Let’s Encrypt certificate (use DNS authentication if you don’t want to forward any port) and encrypted upstream requests if you configure the right upstream sources. My PiHole only communicates with encrypted DNS servers through both DoT and DoH and I don’t care enough to encrypt local traffic (but I could just enable it if I wanted to).
I think you can do that right now on Linux, this Quad9 article describes it working with
systemd-resolved
This sounds good! Although not a waterfox user, are there any other good reasons to try it out over hardened firefox?
Hardened Firefox has better privacy protections, while Waterfox is more like a browser focused on customization, design, performance and privacy without a lot of breakage. So it’s a good browser for “normal” people, but if u want smth more secure try smth like LibreWolf.
There is also Mercury, which claims to combine quite a lot of the nice stuff from different FF forks. I personally stick to the original, but it might be worth checking out.
Thank you for sharing! I checked it out. It’s basically a random Mix of a bunch of different Firefox Forks, I wouldn’t recommend it for normal users or people who want the best privacy they can get with Firefox, is better than the Vanilla Firefox ig, but I don’t see any real sense using it.
It has a nice ui on windows. I use it at university
