Sign up to save your podcasts
Or
Share 047 - Is DNS Over HTTPS Actually Private? What ECH Fixes That DoH Doesn't
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
047 - Is DNS Over HTTPS Actually Private? What ECH Fixes That DoH Doesn't
Turning on DNS over HTTPS does not make your browsing private. The hostname you are trying to reach still leaks in the TLS handshake through the Server Name Indication field, and that is the part most coverage of DoH quietly skips.
Andy and Eric pick up where the DNS deep dive in episode 045 left off, this time focused on the privacy half of the problem. The episode walks through why DoH on its own only solves part of the equation, what Encrypted Client Hello (ECH) is doing to close the SNI gap, and which browsers actually support it today. Andy also unpacks Cloudflare's quiet deprecation of cloudflared's proxy-dns feature, what that means for every Pi-hole plus cloudflared setup still in the wild, and the Quad9 plus UDM Pro stack he landed on instead.
Also in this one: California's age verification law and the operating system level approach the state landed on, Microsoft Edge keeping decrypted passwords in memory at all times (and Microsoft initially calling it "working as intended"), the Humble Bundle SysAdmin and Linux book bundle that is live right now, and Andy retiring his last Windows machine in favor of Debian.
## Resources
- SysAdmin Weekly Episode 045 - Why Is It Always DNS? (the prior DNS deep dive referenced throughout this episode): https://open.spotify.com/episode/2oAh0KzE7J2o7NQFJK8Mza?si=D0OO9XwkRb2GQ-hxM9duUA
- Cloudflare announcement on the deprecation of cloudflared's proxy-dns feature (November 2025): https://developers.cloudflare.com/changelog/post/2025-11-11-cloudflared-proxy-dns/
- Pi-hole, network-wide ad blocking and DNS sinkhole: https://pi-hole.net
- cloudflared, the Cloudflare Tunnel client referenced in the proxy-dns discussion: https://github.com/cloudflare/cloudflared
- Quad9, the Swiss-based privacy-focused DNS resolver Andy migrated to: https://www.quad9.net
- Ubiquiti UDM Pro, which Andy moved his DNS forwarding onto: https://techspecs.ui.com/unifi/cloud-gateways/udm-pro
- Microsoft Edge password manager vulnerability, security researcher disclosure from May 4 showing credentials decrypted and held in memory: https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/
- Humble Bundle's SysAdmin and Linux book bundle from Packt (live for ~20 days from the recording date): https://www.humblebundle.com/books/ultimate-linux-sysadmin-bundle-books
- Andy's prior AndyOnTech post on the state of web browsers, referenced for the Safari and Brave standardization context: https://www.andyontech.com/posts/there_are_no_good_web_browsers_left_and_thats_a_problem/
- Encrypted Client Hello, Cloudflare's reference write-up on how ECH works alongside DoH: https://blog.cloudflare.com/announcing-encrypted-client-hello
- Apple iCloud Private Relay, referenced as Apple's likely answer to the SNI privacy problem in lieu of shipping ECH in Safari: https://support.apple.com/en-us/102602
- California's age verification law and the operating system level approach: https://www.theregister.com/software/2026/03/06/us-state-laws-push-age-checks-into-the-operating-system/4750249
- SysAdmin Weekly main site, all episode links and platforms: https://www.sysadminweekly.com
- SysAdmin Weekly newsletter, the companion weekly newsletter: https://newsletter.sysadminweekly.com
- Contact the show: [email protected]
## Chapters
02:29 - Exploring Secure DNS Lookups
04:17 - Tech News Reactions
08:25 - Microsoft Edge Security Concerns
14:58 - Humble Bundle Book Recommendations
20:05 - Nerd Hour: Home Lab Updates
26:23 - Understanding DNS Over HTTPS and Its Importance
30:11 - The Role of Encrypted Client Hello (ECH)
36:13 - Rebuilding the DNS Stack: A Personal Journey
42:06 - Cloudflare's Changes and Privacy Concerns
47:11 - The Future of Privacy and Quantum Cryptography
View all episodes
By Andy Syrewicze and Eric SironTurning on DNS over HTTPS does not make your browsing private. The hostname you are trying to reach still leaks in the TLS handshake through the Server Name Indication field, and that is the part most coverage of DoH quietly skips.
Andy and Eric pick up where the DNS deep dive in episode 045 left off, this time focused on the privacy half of the problem. The episode walks through why DoH on its own only solves part of the equation, what Encrypted Client Hello (ECH) is doing to close the SNI gap, and which browsers actually support it today. Andy also unpacks Cloudflare's quiet deprecation of cloudflared's proxy-dns feature, what that means for every Pi-hole plus cloudflared setup still in the wild, and the Quad9 plus UDM Pro stack he landed on instead.
Also in this one: California's age verification law and the operating system level approach the state landed on, Microsoft Edge keeping decrypted passwords in memory at all times (and Microsoft initially calling it "working as intended"), the Humble Bundle SysAdmin and Linux book bundle that is live right now, and Andy retiring his last Windows machine in favor of Debian.
## Resources
- SysAdmin Weekly Episode 045 - Why Is It Always DNS? (the prior DNS deep dive referenced throughout this episode): https://open.spotify.com/episode/2oAh0KzE7J2o7NQFJK8Mza?si=D0OO9XwkRb2GQ-hxM9duUA
- Cloudflare announcement on the deprecation of cloudflared's proxy-dns feature (November 2025): https://developers.cloudflare.com/changelog/post/2025-11-11-cloudflared-proxy-dns/
- Pi-hole, network-wide ad blocking and DNS sinkhole: https://pi-hole.net
- cloudflared, the Cloudflare Tunnel client referenced in the proxy-dns discussion: https://github.com/cloudflare/cloudflared
- Quad9, the Swiss-based privacy-focused DNS resolver Andy migrated to: https://www.quad9.net
- Ubiquiti UDM Pro, which Andy moved his DNS forwarding onto: https://techspecs.ui.com/unifi/cloud-gateways/udm-pro
- Microsoft Edge password manager vulnerability, security researcher disclosure from May 4 showing credentials decrypted and held in memory: https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/
- Humble Bundle's SysAdmin and Linux book bundle from Packt (live for ~20 days from the recording date): https://www.humblebundle.com/books/ultimate-linux-sysadmin-bundle-books
- Andy's prior AndyOnTech post on the state of web browsers, referenced for the Safari and Brave standardization context: https://www.andyontech.com/posts/there_are_no_good_web_browsers_left_and_thats_a_problem/
- Encrypted Client Hello, Cloudflare's reference write-up on how ECH works alongside DoH: https://blog.cloudflare.com/announcing-encrypted-client-hello
- Apple iCloud Private Relay, referenced as Apple's likely answer to the SNI privacy problem in lieu of shipping ECH in Safari: https://support.apple.com/en-us/102602
- California's age verification law and the operating system level approach: https://www.theregister.com/software/2026/03/06/us-state-laws-push-age-checks-into-the-operating-system/4750249
- SysAdmin Weekly main site, all episode links and platforms: https://www.sysadminweekly.com
- SysAdmin Weekly newsletter, the companion weekly newsletter: https://newsletter.sysadminweekly.com
- Contact the show: [email protected]
## Chapters
02:29 - Exploring Secure DNS Lookups
04:17 - Tech News Reactions
08:25 - Microsoft Edge Security Concerns
14:58 - Humble Bundle Book Recommendations
20:05 - Nerd Hour: Home Lab Updates
26:23 - Understanding DNS Over HTTPS and Its Importance
30:11 - The Role of Encrypted Client Hello (ECH)
36:13 - Rebuilding the DNS Stack: A Personal Journey
42:06 - Cloudflare's Changes and Privacy Concerns
47:11 - The Future of Privacy and Quantum Cryptography