No ESNI support for DoH at cloudflare-gateway.com

The DNS-over-HTTPS URL for Cloudflare Gateway doesn’t support Encrypted SNI, so the uniquely generated subdomain is always sent in plaintext. This isn’t ideal, as anyone sniffing network traffic can extract and use this unique URL to make DNS queries that are logged in the associated account.

The regular Cloudflare DNS DoH URL is using ESNI, as shown below.

Tested with appending /cdn-cgi/trace:

https://xxxxxxxxxx.cloudflare-gateway.com : sni=plaintext
https://family.cloudflare-dns.com : sni=encrypted
https://mozilla.cloudflare-dns.com : sni=encrypted

1 Like

It also occurs to me that this could be used to track users to some extent.

I can rotate my MAC address or other identifiers, but if every first connection kicks off a plaintext “this device is associated with Cloudflare account…” a network or hotspot operator could easily identify me.

1 Like