Olivier Poitrey Thank you! How about DOQ? I don’t think it will be supported by iOS natively anytime soon. Is DOQ via the NextDNS App?

thanks alot! xx

Olivier Poitrey any update yet? The best we can get is SOME DoH3 on iOS and Mac but it’s only on browsers and for iOS it’s a temporary thing until it falls back to DoH because of the stupid lock screen.

Olivier Poitrey No, it can still be recognized. At present, mainland China has blocked many overseas suppliers that provide DOH and DOT, such as opendns, nextdns, Cloudflare DNS, AdGuard DNS, Quad9 DNS and so on.
At present, the resolved domain names of these encrypted dns can be blocked through SNI. For example, if the third-level domain name contains keywords such as DNS and DOH, it will be blocked as follows:
"Dns.example.com", "doh.example.com".
I tested it on my own server and it has been verified.
Whether it is DOH or DOT, it is currently impossible to achieve full-process encryption. If you add a new protocol, such as DoQ, it will be easier to identify, and the feature is too obvious, so the port number will be blocked directly.
I also think DoH should be the main development direction. It would be better if SNI encryption can be completed without being recognized. SNI encryption China can also block, it is too powerful.

https://gfw.report/blog/gfw_esni_blocking/en/

Olivier Poitrey According to the IETF doc "Servers MAY serve HTTP/3 on any UDP port". Hoping you guys run this on UDP 443 to be able to really blend in with QUIC. Thanks!

Olivier PoitreyOh, I see. How to use dns over quic in NextDNS Cli on Windows? Are there no settings to set it?

Olivier Poitrey Okay. If I can  Okay. If I may know, dns over quic now only occurs on what platform and how do I activate it?

Olivier Poitrey Will HTTP/3 be added to the Linux cli's as well? Looking forward to benchmarking a couple of my pi's running the cli clients. 

Olivier Poitrey So DoQ is live now in the CLI v1.32.0? How do we know if it's using it or not?! Should "Protocol:" when running test.nextdns.io say "DOQ" or something similar?! For me it's still "DOH".

Olivier Poitrey Got it...  So DoH3 will not work for me, since I want  to identify my devices. Maybe will disable report-client-info a while,  just to test it out 

Olivier Poitrey Yeah, it is kinda confusing with all protocols/layers  I still only see "DOH" when using the CLI v1.32.0, but should it say "DoH3" under Protocols when using test.nextdns.io?

Olivier Poitrey that would be cool to test out. I too was looking forward to seeing DoH3 when I updated my Ubuntu cli’s yesterday (even if it doesn’t make a big difference) but still saw they were using TCP. 

Olivier Poitrey Solely out of curiosity -what issues are the browsers having with DOH3? Edge seems to be working OK just in my limited testing, wondering if the other Chromium browsers are having issues. Is this something the community can help you guys test?

Sergey Twersky it can be used same as DoT but with a client supporting DoQ (almost none exist as of today).

DynamicNotSlow  New free DNS free intrent

Umur Soydan it is currently available on doh3.dns.nextdns.io

NextDNS no client currently supports DoH3 though right?

Jason Hawkins chrome and firefox do

NextDNS so we should use as https://doh3.dns.nextdns.io/customerid ? and we can use with another app on android such as nebulo, adguard etc. ?

Umur Soydan yes you just add doh3. in front of the DoH URL. As far as we know, none of the apps you mentioned are supporting HTTP/3 for now.

NextDNS Does adguardhome currently support HTTP/3?

Carrot eggs it does only support DoQ which is different. DoH3 is using HTTP/3 (HTTP over QUIC). We support DoQ too, you can use the same hostname as for DoT, but specifying the quic protocol.

NextDNS gotcha. I use the cli client and iOS so I’ll have the wait for support on those.  

Umur Soydan Nebulo supported DoH3

Gradito Tunggulcahyo how is the performance compared to normal DoH for you?

In Edge browser it's mostly delayed with some seconds for new domains for me.

DynamicNotSlow  I don't see any performance issue, but not really sure about the improvement that I feel so far.

maybe I should use this for a week or a month to feel the impact of doh3

chigarow i think it doesnt support, just go to test.nextdns.io with your browser and protokol need to be "DOH3"

i face same with Nebulo app, when you type the DoH3 setting text in app it works again as DOH ( not DOH3) 

but on computer, with opera,Chrome browser when you type DOH3 setting, protokol says you  are using DOH3

i think currently just these browsers support DOH3

Umur Soydan ah I see 

Soo thanks a lot for the information yaap, just checked and I get DOH not DOH3 

thankyouuu and sorry for the misleading

chigarow  no problem, i hope soon apps start to support DOH3 and we can use it 

Umur Soydan Edge also don't support DoH3 yet. That may the reason for my performance problems.

Chris Leidich Interesting!

I still see DNS-over-HTTPS (not DNS-over-HTTPS/3), but I'm using the NextDNS App instead of the Apple profile.

Rob My iPhone (also running 14.5.1 with native DNS) still shows regular DNS-over-HTTPS. Not sure what is special about the iPad, or else this is being gradually deployed somehow by NextDNS.

Chris Leidich What do you mean with "native DNS"?

• NextDNS iOS App?
• NextDNS Apple configuration profile?

Chris Leidich i can't confirm that with my iPad 2020.

Your screen looks also like the NextDNS app as the NextDNS website doesn't provide a "show Tracker Insights" menu.

Rob Using the config profile, not the app

DynamicNotSlow The screenshot was from my phone, it shows that link on the smaller screen version of my.NextDNS.io.

test.NextDNS.io shows DOH3 too. Haven’t been able to reason out why my iPad is special compared to other iOS devices I have though. Just an interesting observation for now.

Carrot eggs are you surprised? They block everything they can lol

andrew hill malicious software doesn't need any DNS.

If you want stop malware at that level, it's already too late.

DynamicNotSlow I am talking about a layered approach and this is taking one layer away as well as creating another set of problems like local LAN resolution.

andrew hill you should first read about how DNS works.

NextDNS works as expected / as DNS works.

DynamicNotSlow OK lets say we trust NextDNS or Cloudflare but don't trust some other random DNS provider, since DoH is using 443 how do you stop any application from using whichever DNS it feels like, now you have to maintain a list of non approved DNS resolvers to block at the firewall level, an impossible task.

DynamicNotSlow https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/

andrew hill you can't. Also, as i said already application doesn't need DNS.

Applications can also use internal system processes to circumstances your blockage. Badness enumeration just don't work.

andrew hill typical media nonsense.

Also, none of that you post is related to NextDNS nor this topic.

DynamicNotSlow 

Utai ?

DynamicNotSlow yup agreed it's typical media nonsense.

Encrypted dns definitly increase more security, despite it's weakness since nothing perfect in the world. It's like adding lock to a house it will increase security despite thief can still pick the lock. Only fake expert will says bullshit like a lock causes more problems than it solves. 

andrew hill it's entirely different case. Nextdns only provide secure dns service, and yet you ask about maintaining firewall to prevent application/user mischief.

It's quite not logical to ask a $2 service to protect you from all kind of threat.

Luke Skywalker still not working in beta 3. We're working with Apple to make it work eventually.

Zigan