A few months back Cloudflare announced the ESNI, Encrypted Server Name Indication, across all of its networks. Lets first explain SNI and what it does and how this affects you.
SNI, which was standardized in 2003, is an extension to Transport Layer Security (TLS) that allows multiple secure websites to be served on the same IP address.
In order to establish an encrypted connection with the right credentials, SNI transmits the domain name of the website you want to visit in plaintext.
This means that an on-path observer – such as the user’s internet service provider (ISP) or a public WiFi host – can view the server name and track which sites they are visiting.
Encrypted SNI helps prevent this by masking the server name during SNI, meaning even though the ISP can view the connection they cannot see which domain the user is trying to access.
Shortly after Cloudflare announced this, Firefox released it into their nightly releases and it’s recently come into their stable releases. There are a few quick things you will need to do in Firefox, but it is fairly easy to do.
Open Firefox and run the following commands
1. In the address bar input the following command. Accept the warning and continue.
2. In the search bar search for esni.enabled. Double click on the setting it will turn it from False to True.
3. Search for trr.mode. Double-click on the setting change the value to 2. This will make DNS over HTTPS and securing your connection when you call upon a website like allthingsnerd.tk. ISPs will no longer be able to see what you have connected to, only that you are connected to something.
4. Now lets visit https://encryptedsni.com and check the status. I have had DNSSEC fail at this point, which does not affect the above, however for completeness I have written a tutorial to resolve this issue as well.