Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Support ECH or ESNI in 128.2.0esr

  • 1 trả lời
  • 0 gặp vấn đề này
  • Trả lời mới nhất được viết bởi Valentin

more options

Hello,

I installed Firefox 128.2.0esr. I set the next parameters in GPO for settings DNSOverHTTPS: "DNSOverHTTPS": {

                      "Enabled":  true,

"ProviderURL": "https://safe.dot.dns.yandex.net/dns-query", "Locked": true, "Fallback": true }. But when checking via https://www.cloudflare.com/ru-ru/ssl/encrypted-sni/#results I get (screenshot in attachment). As you can see from the screenshot, DNS and SNI did not receive the coveted check marks. Secure DNS We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS. DNSSEC Attackers cannot trick you into visiting a fake website by manipulating DNS responses for domains that are outside their control. TLS 1.3 Nobody snooping on the wire can see the certificate of the website you made a TLS connection to. Secure SNI Anybody listening on the wire can see the exact website you made a TLS connection to.

In my browser / about:config: network.trr.mode = 2 network.trr.uri = https://safe.dot.dns.yandex.net/dns-query

In 128.2.0esr there is no protection against ESNI interceptions and ECH is enabled by default? Or is the problem that the DNS provider does not support the technology from Mozilla? Or what other settings we need use (via GPO)?

Thank you.

Hello, I installed Firefox 128.2.0esr. I set the next parameters in GPO for settings DNSOverHTTPS: "DNSOverHTTPS": { "Enabled": true, "ProviderURL": "https://safe.dot.dns.yandex.net/dns-query", "Locked": true, "Fallback": true }. But when checking via https://www.cloudflare.com/ru-ru/ssl/encrypted-sni/#results I get (screenshot in attachment). As you can see from the screenshot, DNS and SNI did not receive the coveted check marks. '''Secure DNS''' We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS. '''DNSSEC''' Attackers cannot trick you into visiting a fake website by manipulating DNS responses for domains that are outside their control. '''TLS 1.3''' Nobody snooping on the wire can see the certificate of the website you made a TLS connection to. '''Secure SNI''' Anybody listening on the wire can see the exact website you made a TLS connection to. In my browser / about:config: network.trr.mode = 2 network.trr.uri = https://safe.dot.dns.yandex.net/dns-query In 128.2.0esr there is no protection against ESNI interceptions and ECH is enabled by default? Or is the problem that the DNS provider does not support the technology from Mozilla? Or what other settings we need use (via GPO)? Thank you.
Đính kèm ảnh chụp màn hình

Được chỉnh sửa bởi NoahSUMO vào

Tất cả các câu trả lời (1)

more options

> Secure DNS We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS.

That just means you aren't using cloudflare's own DNS resolver over an encrypted connection. I get the same when using https://dns.google/dns-query as the DoH provider. The problem is that cloudflare can't know whether the connection between you and the recursive resolver is encrypted or not. I think this is expected behaviour.

> Anybody listening on the wire can see the exact website you made a TLS connection to.

It seems https://safe.dot.dns.yandex.net/dns-query doesn't return the correct ECH configs. Try using a different provider maybe?

Hữu ích?

Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.