Opened 3 years ago
Closed 3 weeks ago
#2201 closed enhancement (fixed)
Use DNS over HTTPS for Reseed and NTP lookups
| Reported by: | zzz | Owned by: | zzz |
|---|---|---|---|
| Priority: | minor | Milestone: | 0.9.50 |
| Component: | router/general | Version: | 0.9.33 |
| Keywords: | Cc: | ||
| Parent Tickets: | Sensitive: | no |
Description
Proposal 141 http://i2p-projekt.i2p/spec/proposals/141-deprecate-hostnames-in-addresses eliminated DNS lookups for routers, but we still have DNS lookups for NTP and reseeding.
https://en.wikipedia.org/wiki/DNS_over_HTTPS
https://developers.google.com/speed/public-dns/docs/dns-over-https
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
Will need to decide whether to use Cloudflare, Google, or both, and fallback to regular Java-backed lookup.
Subtickets
Change History (14)
comment:1 Changed 3 years ago by
| Owner: | set to zzz |
|---|---|
| Status: | new → accepted |
comment:2 Changed 3 years ago by
Integrated into NTP and to SSLEepGet for Reseed, tested and working. Not checked in anywhere, I will stick it in a branch if anyone would like to test.
DNS over TLS is an alternative, but much harder as it's native DNS format.
Policy-wise, for now, it randomly chooses Google or Cloudflare. Cloudflare seems to have a better privacy policy, but Google supports the EDNS parameter.
comment:3 Changed 3 years ago by
Also - while the claims are that Cloudflare is super-fast, that's for regular DNS. DoH via Java is about 250-500 ms for a response, probably 10x slower than DNS. Probably doesn't matter for reseeding or NTP.
comment:4 Changed 3 years ago by
Great idea, DoH looks good, even is it's still experimental and we have only a few providers.
Please check if we can use quad9.net too - I read about it here the first time and it sounds solid:
https://www.heise.de/newsticker/meldung/Quad9-Datenschutzfreundliche-Alternative-zum-Google-DNS-3890741.html
It is possible to have an extra info line in the log for the reseed request about the used DNS?
Trying DNSoverHTTPS provider xyz…
Fallback to plain DNS …
Thanks very much!
comment:5 Changed 3 years ago by
| Milestone: | 0.9.37 → 0.9.35 |
|---|---|
| Resolution: | → fixed |
| Status: | accepted → closed |
In 2a566f739bc02365a0c5af3b53c19202bb2c454e 0.9.34-4
enabled for testing for now, will decide before release.
comment:6 Changed 3 years ago by
If this is implemented, a configurable list of providers would be useful, as would the option to turn this off. As an alternative, DNS over Tor is another method to secure DNS lookups, either through the Orchid plugin (if supported), or natively over Tor via the DNSPort directive (which might be more compelling if native Tor is supported by default).
comment:7 Changed 3 years ago by
| Milestone: | 0.9.35 → 0.9.36 |
|---|---|
| Resolution: | fixed |
| Status: | closed → reopened |
- At least one commenter in IRC does trust their ISP more than Cloudflare/Google?, if only due to 'incompetence'
- Tor says they want 200 providers minimum before using it. I don't know what our minimum is but it's probably more than 2.
Changed to disabled by default in 16d4dfaa9d6ec6559a91f2d80b566f2514e31b0a to be 0.9.34-12
Reenable with eepget.useDNSOverHTTPS=true and time.useDNSOverHTTPS=true
Reopening ticket to change the default back to enabled again after more providers appear, and to address the requests in comments 4 and 6 above.
comment:8 Changed 2 years ago by
| Milestone: | 0.9.36 → eventually |
|---|
comment:9 Changed 20 months ago by
| Sensitive: | unset |
|---|
In 4e1fd263e8c21cebaff9259df3f2bc0f14b92717 to be 0.9.42-3:
- Fix SAN verification for IPv6 hostnames
- Add Quad9 DoH servers
- Change Google DoH server hostname
comment:10 Changed 20 months ago by
list of other servers: https://en.wikipedia.org/wiki/Public_recursive_name_server
Note that we only support the older JSON flavor, not the new RFC 8484 flavor. We could switch to the RFC (raw DNS format) flavor, but that would take some effort; it would be almost a total rewrite.
comment:11 Changed 6 months ago by
At this point it's pretty clear that the RFC 8484 variant has won. If we want a large number of candidate servers, we'll have to switch.
It would be prudent to use an existing library to parse the replies, as they can vary widely. The 'core' portion of this library looks like a good candidate: https://github.com/MiniDNS/minidns
Public lists of servers:
https://dnscrypt.info/public-servers/
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResolvers-DNS-over-HTTPS(DoH)
comment:12 Changed 6 months ago by
Have it working with the minidns lib. We need about 200KB of classes from it (uncompressed), about 80KB compressed.
The EDNS0 aka ECS aka RFC 7871 issue will take some research.
comment:13 Changed 4 months ago by
RFC 8484 support checked in shortly after the 0.9.48 release. SSLEepGet timeout issues still todo.
comment:14 Changed 3 weeks ago by
| Milestone: | eventually → 0.9.50 |
|---|---|
| Resolution: | → fixed |
| Status: | reopened → closed |
Timeout fix and other fixes checked in, enabled by default for SSLEepGet, to be 0.9.49-8.
Not going to enable it for NTP for now.
Implemented and tested as a CLI tool. Not integrated into NTP/Reseed yet. Whether to enable and rely on those two sites, and a beta API, is to be decided.