DNS-over-HTTPS and encrypted SNI

2019-06-24 - News - Tony Finch

Recent versions of Firefox make it easier to set up encrypted DNS-over-HTTPS. If you use Firefox on a fixed desktop, go to Preferences -> General -> scroll to Network Settings at the bottom -> Enable DNS over HTTPS, Custom: https://rec.dns.cam.ac.uk/. (Our DNS servers are only available on the CUDN so this setting isn't suitable for mobile devices.)

Very recent versions of Firefox also support encrypted server name indication. When connecting to a web server the browser needs to tell the web server which site it is looking for. HTTPS does this using Server Name Indication, which is normally not encrypted unlike the rest of the connection. ESNI fixes this privacy leak.

To enable ESNI, go to about:config and verify that network.security.esni.enabled is true.