Hosting a DoH resolver

nat · March 26, 2021, 3:59pm

I know that we are not doing new services right now, but the Password Manager thread inspired me to start a thread on this, to find out if this is something folks are interested in doing.

DNS over HTTPS is a newish protocol that is now supported by Chrome and Firefox. Instead of using traditional unencrypted DNS queries, domain lookups are wrapped in the same encryption as encrypted web traffic itself.

In one sense it could be a privacy win because it stops casual snooping of DNS queries which are not encrypted.

But the way that it has been rolled out is a privacy issue, because everything is getting centralized into Cloudflare and Google, meaning the queries are safe against casual observers, but available to those companies.

What if we ran a DoH resolver, and didn’t log people’s queries? And then encouraged our members to use it?

It seems like a service that we can actually claw back from Google that would be a painless switch for our members, just instructions on how to set and forget.

It would also be another public server, like our name servers or our SKS key server, because I’m not sure you can limit it.

I will admit to not having looked into how to do this, but I would be happy to look into it, if folks are interested in us doing this. I just didn’t want to go that far down that rabbit hole before floating this idea.

isdupage · April 6, 2021, 2:25pm

I like the idea of denying big tech information. I’ve enabled DNS over HTTPS, but didn’t realize it circled back to Cloudflare and/or Google.

A list of DoH resolvers can be found here: https://www.privacytools.io/providers/dns/

isdupage · April 6, 2021, 2:41pm

I’ve used the LibreDNS option for over a year. Not aware of any issues. I prefer locations outside the US for these sorts of services.

jaimev · April 6, 2021, 11:51pm

@nat This certainly sounds like something some of our members would be happy to use including myself. I suspect it might be difficult to convince the majority of them to care and configure this so it doesn’t feel like a priority compared to other work but I don’t think that means its not worth exploring.
Some initial questions:

Is this something we can think through slowly?
Can it run isolated from the rest of our network?
What does it need to be stable and resilient?
Where does it need to be to located to deal with issues of latency?

nat · April 12, 2021, 1:48pm

I agree that not many members know about DoH, or the privacy impact of (coming) browser defaults. However, I think that because it is such a simple change to make, it makes for one more thing we can give folks who are interested in decreasing their Google reliance.

I think we can take as long as we want to discuss this.

Running DoH resolvers is something I’ve wanted to figure out since I learned about DoH. I like the idea of encrypted DNS for web browsing, and the idea of trusting us over Google or Cloudflare even more. I think it could be a useful member(or public?) service.

I also want us to do it because I’d prefer to not learn this stuff alone.

I have only just started digging into the details of this, and I’m all for doing it the slow thoughtful way. The topic broadens as you start reading about it.

Yes. Broadly speaking it is just a web server in front of DNS resolver.

The only implementation I’ve looked at is an open source (MIT License) project called doh-server, written in rust. The developer builds and distributes a debian package. There may be other options out there, but this was the first one I found, I haven’t tested it.

The doh-server repo has a really thorough README which documents a number of different ways you can set up and configure it. We would probably want to weigh pros and cons of each of approach.

That’s a good question, and we’ll need some idea of the answer before we decide to host this long term.

I’m sure the answer is heavily dependent on how we decide to set it up. For instance, the documentation recommends running both DNSCrypt and DoH. The, developer also has a project for doing that, that integrates with doh-server.

I’m curious about that too. Relatedly how hard it would be to replicate instances if we want to do it in several places.

nat · April 12, 2021, 2:45pm

There is no reason it has to. Certainly that isn’t inherent to the protocol.

The reason it end up back at those big two is because of the defaults that are set in browsers. Cloudflare buys the default in Firefox, and Google sets it for itself in Chrome (no surprise there).

I’ve read Cloudflare’s privacy policy, and it seems like they only use “anonymized”[1] information to feed their own machine learning of DDoS protection and malware detection. That much insight into DNS queries is really valuable for that. They also hold the anonymized data only for 24 hours. In fairness they seem better than Google on this.

That said, I would rather trust us with this data.

I get that sentiment… but if we aren’t logging queries, I’m not convinced there is that much risk to running it in the US versus anywhere else. And moving it out of the US would put it farther away from most of the membership, which could make it feel slower.

Again, there could be something I’m not thinking of, but I’m pretty sure there’s nothing to be learned if we’re not logging.

[1] I use scare quotes because I’m skeptical of how well anonymized things are.