Opened 14 months ago
Last modified 4 months ago
#2201 reopened enhancement
Use DNS over HTTPS for Reseed and NTP lookups
| Reported by: | zzz | Owned by: | zzz |
|---|---|---|---|
| Priority: | minor | Milestone: | eventually |
| Component: | router/general | Version: | 0.9.33 |
| Keywords: | Cc: | ||
| Parent Tickets: |
Description
Proposal 141 http://i2p-projekt.i2p/spec/proposals/141-deprecate-hostnames-in-addresses eliminated DNS lookups for routers, but we still have DNS lookups for NTP and reseeding.
https://en.wikipedia.org/wiki/DNS_over_HTTPS
https://developers.google.com/speed/public-dns/docs/dns-over-https
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
Will need to decide whether to use Cloudflare, Google, or both, and fallback to regular Java-backed lookup.
Subtickets (add)
Change History (8)
comment:1 Changed 14 months ago by zzz
- Owner set to zzz
- Status changed from new to accepted
comment:2 Changed 14 months ago by zzz
Integrated into NTP and to SSLEepGet for Reseed, tested and working. Not checked in anywhere, I will stick it in a branch if anyone would like to test.
DNS over TLS is an alternative, but much harder as it's native DNS format.
Policy-wise, for now, it randomly chooses Google or Cloudflare. Cloudflare seems to have a better privacy policy, but Google supports the EDNS parameter.
comment:3 Changed 14 months ago by zzz
Also - while the claims are that Cloudflare is super-fast, that's for regular DNS. DoH via Java is about 250-500 ms for a response, probably 10x slower than DNS. Probably doesn't matter for reseeding or NTP.
comment:4 Changed 13 months ago by backup
Great idea, DoH looks good, even is it's still experimental and we have only a few providers.
Please check if we can use quad9.net too - I read about it here the first time and it sounds solid:
https://www.heise.de/newsticker/meldung/Quad9-Datenschutzfreundliche-Alternative-zum-Google-DNS-3890741.html
It is possible to have an extra info line in the log for the reseed request about the used DNS?
Trying DNSoverHTTPS provider xyz...
Fallback to plain DNS ...
Thanks very much!
comment:5 Changed 13 months ago by zzz
- Milestone changed from 0.9.37 to 0.9.35
- Resolution set to fixed
- Status changed from accepted to closed
In 2a566f739bc02365a0c5af3b53c19202bb2c454e 0.9.34-4
enabled for testing for now, will decide before release.
comment:6 Changed 13 months ago by Reportage
If this is implemented, a configurable list of providers would be useful, as would the option to turn this off. As an alternative, DNS over Tor is another method to secure DNS lookups, either through the Orchid plugin (if supported), or natively over Tor via the DNSPort directive (which might be more compelling if native Tor is supported by default).
comment:7 Changed 12 months ago by zzz
- Milestone changed from 0.9.35 to 0.9.36
- Resolution fixed deleted
- Status changed from closed to reopened
- At least one commenter in IRC does trust their ISP more than Cloudflare/Google?, if only due to 'incompetence'
- Tor says they want 200 providers minimum before using it. I don't know what our minimum is but it's probably more than 2.
Changed to disabled by default in 16d4dfaa9d6ec6559a91f2d80b566f2514e31b0a to be 0.9.34-12
Reenable with eepget.useDNSOverHTTPS=true and time.useDNSOverHTTPS=true
Reopening ticket to change the default back to enabled again after more providers appear, and to address the requests in comments 4 and 6 above.
comment:8 Changed 4 months ago by zzz
- Milestone changed from 0.9.36 to eventually
Implemented and tested as a CLI tool. Not integrated into NTP/Reseed yet. Whether to enable and rely on those two sites, and a beta API, is to be decided.