Know-How: DNS over HTTPS - Any plans to add this?

Discussion in 'Questions & Answers (Q&A)' started by sptrov, Jun 1, 2018.

  1. s

    sptrov New Member

  2. I

    ItsFe Active Member

    As far as I kow, DNS requests go through the VPN tunnel, which means they are already encrypted, so DoH is not needed.
  3. PP Werner

    PP Werner Staff Member

    Hi. We've been revisiting encrypted DNS options lately.

    DNS-over-TLS seems simple enough. stunnel proxies on port 853 are rolling out to all VPN servers and should become available within the next days. The certificates are currently signed by our own private CA.

    DoT is already supported by general resolver software like unbound and knot-resolver, so you can encrypt all your system's DNS request, not just those sent by the browser.

    Support for opportunistic privacy (i.e. trying TLS on port 853 first with plain DNS on port 53 as fallback) to nameservers provided by DHCP or OpenVPN isn't great yet but I'd expect it to improve eventually.
    Android Pie is apparently already implementing it.

    Trackstop has beend amended to also intercept DoT-Requests and redirect them locally, if any filters are enabled.

    Here's an example configuration snippet for unbound with static addresses and no certificate validation (yet):

    ssl-upstream: yes   # use with unbound versions < 1.7, affects all upstream queries
            name: "."
            forward-first: no
            #forward-ssl-upstream: yes   # use with unbound versions >= 1.7
            # zurich2
            forward-addr: 2a01:4a0:3b::13@853
            # basel1
            forward-addr: 2a01:4a0:18::13@853

    DNS-over-HTTPS is another beast as it allows multiple different message formats and involves more parsers and experimental code. I don't know yet whether or when we might offer DoH.

    Now, is it at all useful to encrypt DNS requests from your computer to a resolver? Maybe.

    In most use-cases, the only plain DNS requests not sent through the VPN tunnel are those for the VPN server name. They don't leak much information because you're going to open a connection to the resolved address, anyway.
    Further request are then sent through the tunnel and from there to a DNS resolver. Even if those requests were encrypted, the resolver still sends plaintext queries to the authoritative servers.

    Also, DNS is usually only a precursor to a connection. Wherever you connect to, the DNS request is probably easy to guess.
    Worse still, HTTPS might leak the hostname through SNI (although there is some talk in the IETF to obfuscate SNI in future TLS versions).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice