Merge pull request #2784 from darkexplosiveqwx/blockesni_description

DL6ER · web-flow · commit 731d40f35aea · 2026-04-15T19:57:24.000+02:00
Clarify `dns.blockESNI` wording
diff --git a/src/config/config.c b/src/config/config.c
@@ -419,7 +419,7 @@ void initConfig(struct config *conf)
 	conf->dns.CNAMEdeepInspect.c = validate_stub; // Only type-based checking
 
 	conf->dns.blockESNI.k = "dns.blockESNI";
-	conf->dns.blockESNI.h = "Should _esni. subdomains be blocked by default? Encrypted Server Name Indication (ESNI) is certainly a good step into the right direction to enhance privacy on the web. It prevents on-path observers, including ISPs, coffee shop owners and firewalls, from intercepting the TLS Server Name Indication (SNI) extension by encrypting it. This prevents the SNI from being used to determine which websites users are visiting.\n\n ESNI will obviously cause issues for pixelserv-tls which will be unable to generate matching certificates on-the-fly when it cannot read the SNI. Cloudflare and Firefox are already enabling ESNI. According to the IETF draft (link above), we can easily restore pixelserv-tls's operation by replying NXDOMAIN to _esni. subdomains of blocked domains as this mimics a \"not configured for this domain\" behavior.";
+	conf->dns.blockESNI.h = "Should _esni. subdomains of blocked domains also be blocked by default? Encrypted Server Name Indication (ESNI) is certainly a good step into the right direction to enhance privacy on the web. It prevents on-path observers, including ISPs, coffee shop owners and firewalls, from intercepting the TLS Server Name Indication (SNI) extension by encrypting it. This prevents the SNI from being used to determine which websites users are visiting.\n\n ESNI will obviously cause issues for pixelserv-tls which will be unable to generate matching certificates on-the-fly when it cannot read the SNI. According to the IETF draft (link above), we can easily restore pixelserv-tls's operation by replying NXDOMAIN to _esni. subdomains of blocked domains as this mimics a \"not configured for this domain\" behavior.\n\n ESNI is mostly obsolete. It was previously rolled out by Cloudflare and Firefox, but they, as well as almost every client and server, are now using Encrypted Client Hello (ECH) instead of ESNI. ECH is served via the HTTPS record on the same RRname, so it will automatically be blocked.";
 	conf->dns.blockESNI.t = CONF_BOOL;
 	conf->dns.blockESNI.d.b = true;
 	conf->dns.blockESNI.c = validate_stub; // Only type-based checking
diff --git a/test/pihole.toml b/test/pihole.toml
@@ -22,18 +22,23 @@
   #     true or false
   CNAMEdeepInspect = true
 
-  # Should _esni. subdomains be blocked by default? Encrypted Server Name Indication
-  # (ESNI) is certainly a good step into the right direction to enhance privacy on the
-  # web. It prevents on-path observers, including ISPs, coffee shop owners and
-  # firewalls, from intercepting the TLS Server Name Indication (SNI) extension by
-  # encrypting it. This prevents the SNI from being used to determine which websites
-  # users are visiting.
+  # Should _esni. subdomains of blocked domains also be blocked by default? Encrypted
+  # Server Name Indication (ESNI) is certainly a good step into the right direction to
+  # enhance privacy on the web. It prevents on-path observers, including ISPs, coffee
+  # shop owners and firewalls, from intercepting the TLS Server Name Indication (SNI)
+  # extension by encrypting it. This prevents the SNI from being used to determine which
+  # websites users are visiting.
   #
   # ESNI will obviously cause issues for pixelserv-tls which will be unable to generate
-  # matching certificates on-the-fly when it cannot read the SNI. Cloudflare and Firefox
-  # are already enabling ESNI. According to the IETF draft (link above), we can easily
-  # restore pixelserv-tls's operation by replying NXDOMAIN to _esni. subdomains of
-  # blocked domains as this mimics a "not configured for this domain" behavior.
+  # matching certificates on-the-fly when it cannot read the SNI. According to the IETF
+  # draft (link above), we can easily restore pixelserv-tls's operation by replying
+  # NXDOMAIN to _esni. subdomains of blocked domains as this mimics a "not configured
+  # for this domain" behavior.
+  #
+  # ESNI is mostly obsolete. It was previously rolled out by Cloudflare and Firefox, but
+  # they, as well as almost every client and server, are now using Encrypted Client
+  # Hello (ECH) instead of ESNI. ECH is served via the HTTPS record on the same RRname,
+  # so it will automatically be blocked.
   #
   # Allowed values are:
   #     true or false
