Confused about ODOH protocol request process

[Kylvan-8]

Hello everyone,
I'm using dnscrypt from a lot of time as proxy on my pi-hole.
The service is actually setup to use only odoh nodes (in order to reduce the fingerprint compare to DoH). All of my peripherals are setup to use my pi-hole as a DNS resolver which is using dnscrypt proxy.

First, i want to be sure of my knowledge here :

• Actually when one of my client is trying to reach an internet service by an url, it forward a dns request to my pi-hole to get an ip address on port 53.
• When the pi-hole received the dns request it forwards it through the local proxy which is my dnscrypt-service.
• The dnscrypt-service will send the request through odoh protocol, on port 53 (so not encrypted) to a relay that will send the request to the target (8.8.8.8 or 9.9.9.9) (encrypted ?) and send it back to the proxy, and then to the pi-hole (encrypted but still on 53 ? I don't understand well that part).
• The pi-hole will send it back to my client and then, my client will resolve the url with the ip address and cache the answer of the dns request.
• When i will try to reach the same url from my client, it will use the local cached ip address.

That way my ISP couldn't spy on my dns requests but i'm potentially vulnerable to MITM attacks (right ?)

So actually, i'm quite confused about the encrypted part. Can someone enlight me on this ? Am i right on the rest of the process ?

One other thing, i've set a bunch of firewall rules on my routeur (which use my pihole as primary dns) with this order :

• Allow MyPihole from all port to reach 8.8.8.8 and 9.9.9.9 on port 53
• Allow MyLANRangeIP from port 53 to reach MyPihole on port 53
  ---> (This one isn't usefull right ? As my LAN clients will use the cached ip address they've got from the previous dns request )
• Allow MyPihole from port 53 to reach MyLANRangeIP on port 53
• Deny all ip from all ports to reach all ip on port 53

I still get activities on the last rule and i don't understand why. My router isn't good enough to catch and show me the entries matching this rule.. Have you any idea ? (i know it has a good chance to being not related to dnscrypt but i have nowhere else to get an answer..) And are my rule correct ? If i want to enforce the dns requests to go through my pihole.

Last thing, when i restart my dnscrypt-service on my pihole i see entries matching those rules :

• Allow MyPihole from all port to reach 8.8.8.8 and 9.9.9.9 on port 53

But at certain point like 6 or 9 entries i don't get any other entries. Is that normal ?

Thank you for your time, and for the answers if you can give me an hand there :)

[lifenjoiner]

• The dnscrypt-service will send the request through odoh protocol, on port 53 (so not encrypted) to a relay that will send the request to the target (8.8.8.8 or 9.9.9.9) (encrypted ?) and send it back to the proxy, and then to the pi-hole (encrypted but still on 53 ? I don't understand well that part).

i've set a bunch of firewall rules on my routeur

ODoH is using HTTPS first. Oblivious(HTTPS(DNS)), if in arithmetic expression.

2 fundamental conceptions for a proxy: inbound and outbound. They use different Sockets with different (local) ports.
Client requesting port is normally random and manged by the system.

Make it clear, which happens at which point and when.

but i'm potentially vulnerable to MITM attacks (right ?)

That depends on what you are going to do with the returned IP.
If still over TLS, not likely, TLS is in charge of authentication. Example: visit HTTPS websites.
If just in plain, that is possible, and much possibilities. Even the upstream DNS is reliable. There is BGP. ISP is always in charge of how the traffic flows.

[Kylvan-8]

• The dnscrypt-service will send the request through odoh protocol, on port 53 (so not encrypted) to a relay that will send the request to the target (8.8.8.8 or 9.9.9.9) (encrypted ?) and send it back to the proxy, and then to the pi-hole (encrypted but still on 53 ? I don't understand well that part).

i've set a bunch of firewall rules on my routeur

ODoH is using HTTPS first. Oblivious(HTTPS(DNS)), if in arithmetic expression.

2 fundamental conceptions for a proxy: inbound and outbound. They use different Sockets with different (local) ports. Client requesting port is normally random and manged by the system.

Make it clear, which happens at which point and when.

but i'm potentially vulnerable to MITM attacks (right ?)

That depends on what you are going to do with the returned IP. If still over TLS, not likely, TLS is in charge of authentication. Example: visit HTTPS websites. If just in plain, that is possible, and much possibilities. Even the upstream DNS is reliable. There is BGP. ISP is always in charge of how the traffic flows.

I didn't understand what you said. The technique I've described above was to see if I had understood it all correctly.

Because if I don't add the following rules to my firewall:

• Allow MyPihole to access 8.8.8.8 and 9.9.9.9 on port 53 from all ports

The relays are inaccessible to the dnscrypt-service. Therefore, for me, the connection to the proxy use port 53 only (for this particular section).

I'm not talking about what the client will eventually do with the IP. I'm referring to the process step when I'm attempting to receive an answer from the relays because it appears that if the process is interrupted at any point, the request's information could be made public.

Anyhow, my client exclusively browses through https. In a second time i will setup my own vpn but those are next steps.

[lifenjoiner]

MITM about (O)DoH:

• As DoH has already been encrypted, the content is improbable to be revealed from dnscrypt-proxy to the sdns server.
• SNI will reveal your destination.
• Interrupting is possible based on SNI or IP.