Opened 17 months ago

Last modified 7 months ago

#2201 reopened enhancement

Use DNS over HTTPS for Reseed and NTP lookups

Reported by: zzz Owned by: zzz
Priority: minor Milestone: eventually
Component: router/general Version: 0.9.33
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

Proposal 141 http://i2p-projekt.i2p/spec/proposals/141-deprecate-hostnames-in-addresses eliminated DNS lookups for routers, but we still have DNS lookups for NTP and reseeding.

https://en.wikipedia.org/wiki/DNS_over_HTTPS
https://developers.google.com/speed/public-dns/docs/dns-over-https
https://developers.cloudflare.com/1.1.1.1/dns-over-https/

Will need to decide whether to use Cloudflare, Google, or both, and fallback to regular Java-backed lookup.

Subtickets

Change History (8)

comment:1 Changed 17 months ago by zzz

Owner: set to zzz
Status: newaccepted

Implemented and tested as a CLI tool. Not integrated into NTP/Reseed yet. Whether to enable and rely on those two sites, and a beta API, is to be decided.

comment:2 Changed 17 months ago by zzz

Integrated into NTP and to SSLEepGet for Reseed, tested and working. Not checked in anywhere, I will stick it in a branch if anyone would like to test.

DNS over TLS is an alternative, but much harder as it's native DNS format.

Policy-wise, for now, it randomly chooses Google or Cloudflare. Cloudflare seems to have a better privacy policy, but Google supports the EDNS parameter.

comment:3 Changed 17 months ago by zzz

Also - while the claims are that Cloudflare is super-fast, that's for regular DNS. DoH via Java is about 250-500 ms for a response, probably 10x slower than DNS. Probably doesn't matter for reseeding or NTP.

comment:4 Changed 17 months ago by backup

Great idea, DoH looks good, even is it's still experimental and we have only a few providers.

Please check if we can use quad9.net too - I read about it here the first time and it sounds solid:
https://www.heise.de/newsticker/meldung/Quad9-Datenschutzfreundliche-Alternative-zum-Google-DNS-3890741.html

It is possible to have an extra info line in the log for the reseed request about the used DNS?

Trying DNSoverHTTPS provider xyz…
Fallback to plain DNS …

Thanks very much!

comment:5 Changed 16 months ago by zzz

Milestone: 0.9.370.9.35
Resolution: fixed
Status: acceptedclosed

In 2a566f739bc02365a0c5af3b53c19202bb2c454e 0.9.34-4
enabled for testing for now, will decide before release.

comment:6 Changed 16 months ago by Reportage

If this is implemented, a configurable list of providers would be useful, as would the option to turn this off. As an alternative, DNS over Tor is another method to secure DNS lookups, either through the Orchid plugin (if supported), or natively over Tor via the DNSPort directive (which might be more compelling if native Tor is supported by default).

comment:7 Changed 15 months ago by zzz

Milestone: 0.9.350.9.36
Resolution: fixed
Status: closedreopened
  • At least one commenter in IRC does trust their ISP more than Cloudflare/Google?, if only due to 'incompetence'
  • Tor says they want 200 providers minimum before using it. I don't know what our minimum is but it's probably more than 2.

Changed to disabled by default in 16d4dfaa9d6ec6559a91f2d80b566f2514e31b0a to be 0.9.34-12
Reenable with eepget.useDNSOverHTTPS=true and time.useDNSOverHTTPS=true
Reopening ticket to change the default back to enabled again after more providers appear, and to address the requests in comments 4 and 6 above.

comment:8 Changed 7 months ago by zzz

Milestone: 0.9.36eventually
Note: See TracTickets for help on using tickets.