SIDN Labs' experimental DoH server
New system helps us keep abreast of how the DoH standard is developing. Give it a try!
DNS privacy – and DNS-over-HTTPS (DoH) in particular – are topics that the SIDN Labs team has written about before. DoH is a relatively new standard for encrypted DNS communication, which has been the focus of considerable community attention in recent years. Although the technology is contentious, development has been rapid, with more and more public DoH services coming on line around the world. Some of the first public services were provided by tech giants such as Google and CloudFlare, prompting further discussion about 'centralisation of the internet’. Existing DNS service providers, including NextDNS, have been adding DoH services to their portfolios as well. And the list of services continues to grow. A few ISPs, XS4ALL included, now offer DoH in their closed customer environments. There's also been action here at SIDN Labs, where we have our own experimental DoH server running. We're doing a lot of testing with it ourselves, and the wider internet community is invited to make use of it as well. So we thought it would be useful to provide some additional information by way of this blog.
With DoH, DNS queries aren't sent over the network in the form of readable UDP messages, as in conventional DNS traffic. Instead, TLS-encrypted requests are sent using the HTTP protocol (i.e. as TCP messages). However, the technology has both pros and cons, so opinion about DoH is divided. On the one hand, encryption means that messages are private and that falsification by malicious hackers is less likely. On the other hand, it's argued that DoH could actually undermine privacy, because HTTP lends itself to tracking based on cookies and other forms of fingerprinting. The fact that it's harder for a firewall to block DoH traffic is an advantage in some people's eyes, but a worrying feature for others. Criticasters prefer alternatives such as DNS-over-TLS (DoT) and DNScrypt. However, there's debate about the performance of the alternatives too. Claim and counterclaim abound as to which is fastest, most reliable and most scalable. One thing is nevertheless certain: development is relentless, especially where DoH is concerned.
DoH in the wild
The DoH standard has developed quite quickly. It all started with Edward Snowden's disclosures, which triggered a wave of 'privacy awareness'. Against that backdrop, the privacy of the DNS came under scrutiny. Among those embracing the new vision of privacy were several major internet companies, including Mozilla and Google, who added DoH functionality to their Firefox and Chrome browsers. The unconventional move prompted debate, because the DNS had traditionally been the province of the operating system. The assumption of DNS responsibility by individual applications has major implications for system management and fault detection. Nevertheless, the two browser providers decided to press ahead. Initially, Mozilla was the standout driver of change, but others have since come to the fore.
DoH is now available in Google’s Chrome, will soon be added to Microsoft Windows, and is experimentally supported by the Opera browser, to give just a few examples. Various producers of leading open-source software, including PowerDNS and Unbound, offer or are working on their own DoH implementations as well. On GitHub too, good-quality open-source DoH software is increasingly easy to find.
SIDN Labs' experimental DoH server
Although there are now many public DoH resolvers out there, we couldn't find any that also performed user authentication, which we felt was a valuable feature. Partly for that reason, we decided to set up our own. On our experimental DoH-server, we opted to use GitHub software, which is written in the Go programming language: https://github.com/m13253/dns-over-https The server was set up to run in combination with an Apache web server: https://doh.sidnlabs.nl/dns-query (NB: the server requires a user name and password.) We're using the test system to study how an authenticating DoH server interacts with browsers. We're also using the associated DoH client – which is easy to install – to investigate the implications of, for example, addressing the server from a train or hotel Wi-Fi network, where there is a 'captive portal' arrangement. So having our own experimental server is enabling us to keep abreast of the DoH standard's development.
Give it a try!
If you fancy having a go with our experimental DoH server, you'll find our terms and conditions, plus advice on setting up at https://doh.sidnlabs.nl/about/. We'd love to hear how you get on!