Before applying these instructions, I encourage you to read the thread in full because there are some observations and comments that are valuable, and as a result these instructions have changed several times. In particular, you do not need to install stubby if you only want the browser protected. I've also added a new section at the end for those of us who use VPNs.Moderator Warning wrote:Kadaitcha Man's tutorial can only be applied successfully on Firefox ESR up to and including version 78.x.
ESNI support has been dropped from Firefox 85.0 and above.
As a consequence, there is no use in trying to follow this tutorial on Firefox ESR 91.x and above
The standard Firefox has broken security in that Encrypted SNI (ESNI) is completely broken, and the developers won't fix it based on Mozilla's vapourware implementation of Encrypted Client Hello (ECH). ESNI, Secure DNS, TLS 1.3 and DNSSEC are essential online privacy tools. Now, the only browser to support all four security and privacy techniques is Firefox ESR.
In this tutorial, I will show you how to install Firefox ESR, a stub resolver to provide DNSSEC, and the simple steps needed to configure them and your network connection.
First, install Firefox ESR if you don't already use it, and the DNSSEC stub:
Code: Select all
sudo add-apt-repository -y ppa:mozillateam/ppa
sudo add-apt-repository -y ppa:ubuntu-mozilla-security/ppa
sudo apt update
sudo apt install firefox-esr stubby
Next, configure
stubby
:Code: Select all
xed admin:///etc/stubby/stubby.yml
Code: Select all
## Cloudflare 1.1.1.1 and 1.0.0.1
# - address_data: 1.1.1.1
# tls_auth_name: "cloudflare-dns.com"
# - address_data: 1.0.0.1
# tls_auth_name: "cloudflare-dns.com"
Code: Select all
# Cloudflare 1.1.1.1 and 1.0.0.1
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
sudo systemctl restart stubby
.Check everything is ok with
sudo systemctl status stubby
. The output should look like this:Code: Select all
● stubby.service - DNS Privacy Stub Resolver
Loaded: loaded (/lib/systemd/system/stubby.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-03-05 14:21:34 AEDT; 28min ago
Docs: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
Main PID: 1662 (stubby)
Tasks: 1 (limit: 38347)
Memory: 21.6M
CGroup: /system.slice/stubby.service
└─1662 /usr/bin/stubby
Mar 05 14:21:34 akhenaten systemd[1]: Started DNS Privacy Stub Resolver.
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.489871] STUBBY: Read config from file /etc/stubby/stubby.yml
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490195] STUBBY: DNSSEC Validation is OFF
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490200] STUBBY: Transport list is:
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490201] STUBBY: - TLS
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490203] STUBBY: Privacy Usage Profile is Strict (Authentication required)
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490204] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Mar 05 14:21:34 akhenaten stubby[1662]: [03:21:34.490205] STUBBY: Starting DAEMON....
network
.Enable DNS over HTTPS and Cloudflare, which is the default that should be selected.
Next, go to
about:config
in Firefox ESR and type esni
in the search box. Set network.security.esni.enabled
to true
by double-clicking false
, then close your browser.Next, right-click the connection icon in your system tray and choose Network Setttings. Select your network connection and click the tiny gear icon in the bottom right of the Network window.
First, select the IPv4 tab and disable automatic DNS, then enter 127.0.0.1 in the Server text box:
That change will cause your machine to use
stubby
as the DNS resolver for all external traffic when using that particular connection. If you have a wifi and a wired connection and you use both interchangeably, or if you have additional wired connections going to the outside world, you must perform the same procedure on each connection that you want to protect.Next, set the IPv6 DNS in the same way as you just did above for IPv4 but use
0::1
as the DNS address. Finally, click Apply.Disconnect your network, wait a few seconds and reconnect it.
This is it, the big test. Open Firefox ESR (make sure you're not opening the standard firefox) and go here then click the Check My Browser button: Cloudflare. If you get this:
Success!
If you don't get four check marks, go back over the steps and verify what you've done to find what you missed.
Now you can
sudo apt remove --purge firefox
.If you want to learn more, click the Learn More... link below each security feature on the Cloudflare ESNI page.
What you ought to consider next is changing your DNS servers right across your internal network i.e. on your router and on all your machines, which will ensure that all of your internet activity goes through Cloudflare DNS, though it won't all be encrypted and secure unless you're using the method (stubby) above with Firefox ESR or a VPN to protect browser and non-browser traffic, for example, unless you are using a VPN to provide protection,
sudo apt update
will use DNSSEC but it won't use ether ESNI or Secure DNS because these are features built-in to Firefox ESR, not in apt
. At worst, and with a VPN, external sites should only pick up that you are using Cloudflare DNS. For any other machines, follow the procedure above. For your router, set the following IP addresses as the DNS servers:
For IPv4: 1.1.1.1, and 1.0.0.1 as the fallback.
For IPv6: 2606:4700:4700::1111, and 2606:4700:4700::1001 as the fallback.
You will probably have to reboot your router.
Modifying your router's DNS servers is absolutely essential to preventing DNS leaks because they are usually set to your ISP's DNS resolvers, and you don't want that.
ADDENDUM: For VPN users
In the Windows world,
openvpn
supports a parameter that blocks outside DNS, block-outside-dns
, but this doesn't work in Linux. You need to add a few extra lines to your .ovpn
files:Code: Select all
dhcp-option DNS 127.0.0.1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
stubby
and have it running. If you're not using stubby
then change the DNS to your preferred DNS server IPv4 address.The second line causes
openvpn
to allow executables and user-defined scripts to be run.The third and fourth lines call an Ubuntu script that should already be installed for any Ubuntu-based distribution. For users of non-Ubuntu distributions who find this tutorial from a web search, I'm afraid you're on your own. Perhaps seeking out the script code and modifying it to suit your OS might be required.
After saving your changes, preferably to a different file name so you know that you've edited it, import the modified
openvpn
and set it as the default VPN to use in Network Manager. You can then head off to https://www.dnsleaktest.com/ and test your configuration.