-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: support DNS-over-HTTPS #27552
Comments
I'd imagine that it would be best to first implement this outside the standard library, much like how HTTP2 was first implemented in I also wonder if #12503 would be a requirement for this, to be able to swap between different resolvers. I am also personally a bit confused by DNS over TLS versus DNS over HTTPS. Do we want to support both? If not, which one should we prefer and why? |
I think much of #16218 is in https://godoc.org/golang.org/x/net/dns/dnsmessage DNS over TLS is a different protocol. The trick with DNS over TLS is that it requires a new port to be opened up in people's firewalls. Chrome experimented with deploying HTTP/2 and SPDY on ports other than HTTPS's 443 and found out that for a large percentage of their user base, they couldn't make connections out over those other ports. For the same reason, tunneling over 443 and reaping the benefits of solid HTTP (especially HTTP/2) clients with DNS over HTTPS has been taking the mindshare. |
I've been playing with a toy cli-client that uses |
@mvdan DNS over TLS is already supported with trivial amount of code: https://github.com/artyom/dot/blob/master/dot.go |
As side note, another DoH client and server implementation in Go is also available at https://godoc.org/github.com/shuLhan/share/lib/dns. |
These are a hack based on ideas expressed in #24796, but I'll share them anyway:
The DoH resolver takes advantage of Go's HTTP machinery to resolve issues like #23866. OTOH (and IMO) any serious DoH/DoT implementation needs to consider caching. Neither will benefit from any local resolver cache. Also needing consideration is how the resolver is configured. DoH requires specifying a URI template, DoT a server name for certificate verification. Go's |
DNS-over-HTTPS is an evolution of DNS that allows us to secure the stream of DNS requests from a system or user in the same way we secure HTTP traffic with TLS. As of Sept 2018, it's currently deployed in two of the major browsers (Mozilla[1], Chrome) and 2 major service owners (Cloudflare[2], Google[3]) and has the backing of lot of folks in the field as what we need to fix DNS.
There are a few Go implementations[4] already on GitHub, but those require buy-in and awareness to be used. Having it baked into the Go standard library would be an incredible boon in securing our systems and users.
[1] https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
[2] https://developers.cloudflare.com/1.1.1.1/dns-over-https/
[3] https://developers.google.com/speed/public-dns/docs/dns-over-https
[4] e.g. coredns/coredns#1619
The text was updated successfully, but these errors were encountered: