Opened 3 years ago

Closed 4 months ago

#2201 closed enhancement (fixed)

Use DNS over HTTPS for Reseed and NTP lookups

Reported by: zzz Owned by: zzz
Priority: minor Milestone: 0.9.50
Component: router/general Version: 0.9.33
Keywords: Cc:
Parent Tickets: Sensitive: no


Proposal 141 http://i2p-projekt.i2p/spec/proposals/141-deprecate-hostnames-in-addresses eliminated DNS lookups for routers, but we still have DNS lookups for NTP and reseeding.

Will need to decide whether to use Cloudflare, Google, or both, and fallback to regular Java-backed lookup.


Change History (14)

comment:1 Changed 3 years ago by zzz

Owner: set to zzz
Status: newaccepted

Implemented and tested as a CLI tool. Not integrated into NTP/Reseed yet. Whether to enable and rely on those two sites, and a beta API, is to be decided.

comment:2 Changed 3 years ago by zzz

Integrated into NTP and to SSLEepGet for Reseed, tested and working. Not checked in anywhere, I will stick it in a branch if anyone would like to test.

DNS over TLS is an alternative, but much harder as it's native DNS format.

Policy-wise, for now, it randomly chooses Google or Cloudflare. Cloudflare seems to have a better privacy policy, but Google supports the EDNS parameter.

comment:3 Changed 3 years ago by zzz

Also - while the claims are that Cloudflare is super-fast, that's for regular DNS. DoH via Java is about 250-500 ms for a response, probably 10x slower than DNS. Probably doesn't matter for reseeding or NTP.

comment:4 Changed 3 years ago by backup

Great idea, DoH looks good, even is it's still experimental and we have only a few providers.

Please check if we can use too - I read about it here the first time and it sounds solid:

It is possible to have an extra info line in the log for the reseed request about the used DNS?

Trying DNSoverHTTPS provider xyz…
Fallback to plain DNS …

Thanks very much!

comment:5 Changed 3 years ago by zzz

Milestone: 0.9.370.9.35
Resolution: fixed
Status: acceptedclosed

In 2a566f739bc02365a0c5af3b53c19202bb2c454e 0.9.34-4
enabled for testing for now, will decide before release.

comment:6 Changed 3 years ago by Reportage

If this is implemented, a configurable list of providers would be useful, as would the option to turn this off. As an alternative, DNS over Tor is another method to secure DNS lookups, either through the Orchid plugin (if supported), or natively over Tor via the DNSPort directive (which might be more compelling if native Tor is supported by default).

comment:7 Changed 3 years ago by zzz

Milestone: 0.9.350.9.36
Resolution: fixed
Status: closedreopened
  • At least one commenter in IRC does trust their ISP more than Cloudflare/Google?, if only due to 'incompetence'
  • Tor says they want 200 providers minimum before using it. I don't know what our minimum is but it's probably more than 2.

Changed to disabled by default in 16d4dfaa9d6ec6559a91f2d80b566f2514e31b0a to be 0.9.34-12
Reenable with eepget.useDNSOverHTTPS=true and time.useDNSOverHTTPS=true
Reopening ticket to change the default back to enabled again after more providers appear, and to address the requests in comments 4 and 6 above.

comment:8 Changed 3 years ago by zzz

Milestone: 0.9.36eventually

comment:9 Changed 2 years ago by zzz

Sensitive: unset

In 4e1fd263e8c21cebaff9259df3f2bc0f14b92717 to be 0.9.42-3:

  • Fix SAN verification for IPv6 hostnames
  • Add Quad9 DoH servers
  • Change Google DoH server hostname

comment:10 Changed 2 years ago by zzz

list of other servers:

Note that we only support the older JSON flavor, not the new RFC 8484 flavor. We could switch to the RFC (raw DNS format) flavor, but that would take some effort; it would be almost a total rewrite.

comment:11 Changed 10 months ago by zzz

At this point it's pretty clear that the RFC 8484 variant has won. If we want a large number of candidate servers, we'll have to switch.

It would be prudent to use an existing library to parse the replies, as they can vary widely. The 'core' portion of this library looks like a good candidate:

Public lists of servers:

comment:12 Changed 9 months ago by zzz

Have it working with the minidns lib. We need about 200KB of classes from it (uncompressed), about 80KB compressed.

The EDNS0 aka ECS aka RFC 7871 issue will take some research.

comment:13 Changed 8 months ago by zzz

RFC 8484 support checked in shortly after the 0.9.48 release. SSLEepGet timeout issues still todo.

comment:14 Changed 4 months ago by zzz

Milestone: eventually0.9.50
Resolution: fixed
Status: reopenedclosed

Timeout fix and other fixes checked in, enabled by default for SSLEepGet, to be 0.9.49-8.

Not going to enable it for NTP for now.

Note: See TracTickets for help on using tickets.