Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS encryption #875

Merged
merged 1 commit into from
Apr 25, 2018
Merged

DNS encryption #875

merged 1 commit into from
Apr 25, 2018

Conversation

jackivanov
Copy link
Collaborator

@jackivanov jackivanov commented Apr 17, 2018
edited
Loading

  • dnscrypt-proxy service for supported *BSDs and Ubuntu.
  • AppArmor policies and cgroups limits
  • CloudFlare DNS over HTTPS enabled by default for all installations
  • Fixes DNS over HTTPS #871

@jackivanov jackivanov changed the title Dingo Implementation. DNS-over-HTTPS WIP: Dingo Implementation. DNS-over-HTTPS Apr 17, 2018
@jackivanov jackivanov force-pushed the dns_over_https branch 4 times, most recently from 1318f23 to 05be6da Compare April 18, 2018 14:24
@jackivanov jackivanov changed the title WIP: Dingo Implementation. DNS-over-HTTPS Dingo Implementation. DNS-over-HTTPS Apr 18, 2018
@jackivanov jackivanov requested a review from dguido April 18, 2018 15:46
jplock
jplock reviewed Apr 18, 2018
View reviewed changes
roles/dns_adblocking/tasks/ubuntu.yml Outdated
@@ -7,13 +7,13 @@
owner: root
group: root
mode: 0600
when: apparmor_enabled is defined and apparmor_enabled == true
when: apparmor_enabled|default(flase)|bool == true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

false, same comment below

jplock
jplock reviewed Apr 18, 2018
View reviewed changes
roles/vpn/tasks/ubuntu.yml Outdated
@@ -12,7 +12,7 @@

- name: Ubuntu | Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}"
when: apparmor_enabled is defined and apparmor_enabled == true
when: apparmor_enabled|default(flase)|bool == true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

false

@dguido
Copy link
Member

dguido commented Apr 23, 2018

Let's put this in the default configuration, rather than behind the ad blocking role.

I assume that many users may want to change between Google and Cloudflare for DNS-over-HTTPS. Is the setting for that exposed in config.cfg?

@dguido
Copy link
Member

dguido commented Apr 23, 2018

You know what, let's switch the default to Cloudflare DNS. Cloudflare deletes a larger amount of data from their logs than Google does:

Compare:

@jackivanov
Copy link
Collaborator Author

Let's put this in the default configuration, rather than behind the ad blocking role.

Do you mean without the Y/n prompt?

The ad blocking role does not affect to the dns_over_https one. They can be enabled separately or both in the same time. If they are enabled both, dnsmasq will be blocking ads and forwarding requests to Dingo.

@jackivanov jackivanov changed the title Dingo Implementation. DNS-over-HTTPS DNS-over-HTTPS Apr 24, 2018
@dguido
Copy link
Member

dguido commented Apr 24, 2018

Yes, skip the y/n prompt. Let’s make this the default for everyone.

@jackivanov jackivanov changed the title DNS-over-HTTPS DNS encription Apr 24, 2018
@jackivanov jackivanov changed the title DNS encription DNS encryption Apr 24, 2018
@dguido
Copy link
Member

dguido commented Apr 24, 2018

What does Unbound do? Do we need it or can we just use Dingo?

@jackivanov
Copy link
Collaborator Author

jackivanov commented Apr 24, 2018
edited
Loading

@dguido Unbound is for CloudFlare. Dingo doesn't support CloudFlare. We can't use Unbound for Google, because GoogleDNS don't provide TLS support, but HTTPS api only.
We can rid of GoogleDNS at all and therefore rid of Dingo or wait until Dingo has support for CloudFlare and rid of Unbound

@ghost
Copy link

ghost commented Apr 24, 2018

If Clouflare only would be an option, cloudflared (argo-tunnel) for DNS-over-HTTPS would be easy to integrate with dnsmasq.

https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/

@jackivanov
Copy link
Collaborator Author

@beachfork Any benefits compared to Unbound? I don't see a binary for *BSDs

@ghost
Copy link

ghost commented Apr 24, 2018

Oh you're right, there's no *BSDs support for now. As far as I know there is DNS-over-TLS and DNS-over-HTTPS (DoH), cloudflared is for DoH. The Unbound method will get you DNS-over-TLS.

@jackivanov
Copy link
Collaborator Author

jackivanov commented Apr 24, 2018
edited
Loading

Right. I'd prefer DNS-over-TLS. At least it's RFCed. And it should be faster in theory

@ghost
Copy link

ghost commented Apr 24, 2018

From benchmarks over the internet DNS-over-TLS seems to be faster! So you're right, Unbound is the universal route.

@dguido
Copy link
Member

dguido commented Apr 24, 2018

Performance should be similar between HTTPS and TLS for our setup. The AlgoVPN server is doing the lookup, and it will do it from a VPS datacenter over a fast, wired connection. I think it's fine to support only DNS-over-HTTPS.

There is a draft RFC. It requires HTTP2 with strict cipher suites, so it's pretty good. https://www.ietf.org/id/draft-ietf-doh-dns-over-https-07.txt

Let's ditch the Unbound client. I am concerned that it adds too much complexity and it's another random pile of C that we have to stay concerned about. I'm much happier with a simple Go binary with Dingo.

@dguido
Copy link
Member

dguido commented Apr 24, 2018

Damn it. I just noticed that Dingo may have trouble with Cloudflare DNS. Let's use dnscrypt-proxy instead: https://github.com/jedisct1/dnscrypt-proxy

@jackivanov jackivanov force-pushed the dns_over_https branch 3 times, most recently from 773256d to afe35dd Compare April 24, 2018 16:08
@ndtob

This comment has been minimized.

Sign in to view
@dguido
Copy link
Member

dguido commented Apr 25, 2018

Stubby uses getdns, which is written in C. I’d like to avoid that, especially for a protocol like DNS with complex parsing required. Dnscrypt-proxy and DNS over HTTPS is what we’re doing! Final answer.

@jackivanov jackivanov force-pushed the dns_over_https branch 3 times, most recently from f3dd1ed to b55fb4f Compare April 25, 2018 16:18
@dguido
Copy link
Member

dguido commented Apr 25, 2018

Niceeee. Let me know when this is ready for review! I'll deploy it and test it.

@jackivanov
Copy link
Collaborator Author

@dguido It's ready. You can test it

@dguido dguido merged commit c82bd8c into master Apr 25, 2018
@trailofbits trailofbits deleted a comment from jackivanov Apr 26, 2018
@jackivanov jackivanov deleted the dns_over_https branch April 26, 2018 10:40
eyecat pushed a commit to eyecat/algo that referenced this pull request Oct 23, 2018
@jackivanov
DNS-over-HTTPS (trailofbits#875)
e63ac7d
faf0 pushed a commit to faf0/algo that referenced this pull request Dec 13, 2018
@jackivanov @dguido
DNS-over-HTTPS (trailofbits#875)
36f0e30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jplock jplock jplock left review comments

@dguido dguido Awaiting requested review from dguido

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jackivanov @dguido @ndtob @jplock