ECH (encrypted client hello) is going or get enabled by default (already existed in a hidden setting) with version 118.
This page about the version explains a bit better ECH https://support.mozilla.org/fr/kb/understand-encrypted-client-hello
Tho it is still a bit confusing.
From what I understand there is the DNS query > the dns servers sends back an IP. This DNS query can be encrypted with DoH (or DoT?, it seems only DoH from the post).
Then there is a handshake with the website where the website informations can be leaked, and that can be encrypted by ECH (if the website supports it).
Then after that there is a tls connexion established between the website and the user.
The part where I’m confused is : can ECH be used without DoH? If yes that would mean that I can use a DoH capable software and not have to configure it into Firefox? (ex: Nextdns + yogadns)
Seems like it’s only DoH. Which is kinda lame in a situation like mine where I’m running a DoH proxy (cloudflared), using a PiHole behind that, and pointing my LAN clients at the PiHole using unencrypted DNS. So everything leaving my network is DoH but it’s not done directly in the browser, so I can’t take advantage of ECH.
Probably because DNS is unencrypted and would allow tampering of the key needed for ECH to work
PiHole doesn’t support DoH? I mean as a server? Is there a feature request open for that?
You mean, you’re running a DoT proxy?
No, DoH (DNS-over-HTTPS). I’d also previously set up a DoT proxy for use on my phone (since Android only supports DoT) but I decided to do something else for that.
TIL about cloudflared being a DoH proxy. Nice, will be looking into this later…
It works well, and it’s easy to set up. Previously I had used dnscrypt-proxy since it supports DoH as well.