Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new DoH resolver #27

Merged
merged 2 commits into from Jun 14, 2018
Merged

Add new DoH resolver #27

merged 2 commits into from Jun 14, 2018

Conversation

@Belphemur
Copy link
Contributor

@Belphemur Belphemur commented May 27, 2018

Btw, I couldn't add the hashes for the Let's Encrypt certificate.

I tried with the different Roots of Let's Encrypt without success.

@Belphemur
Copy link
Contributor Author

@Belphemur Belphemur commented Jun 11, 2018

Ping ?

@publicarray
Copy link
Member

@publicarray publicarray commented Jun 13, 2018

@jedisct1 would you mind looking at the PR? looks good to me.

@Belphemur I've never setup a PiHole, so forgive my ignorance but isn't the PiHole logging number of blocked requests as well as top users by IP address and has a full query log? and can this be turned off?

Edit: Is the PiHole web server meant to be open to the internet? http://dns.aaflalo.me/

@Belphemur
Copy link
Contributor Author

@Belphemur Belphemur commented Jun 14, 2018

By default it does, but you can disable it in a single click in the interface.
Moreover, when using DoH all the request are coming from localhost.

I also disable the log for the Nginx that is providing the HTTPS part of DoH.

@jedisct1 jedisct1 merged commit 542c296 into DNSCrypt:master Jun 14, 2018
@jedisct1
Copy link
Collaborator

@jedisct1 jedisct1 commented Jun 14, 2018

I'm awfully sorry for the delay :(

Your resolver has been added.

In order to show the certificates hashes, set the SHOW_CERTS environment variable:

[2018-06-14 18:58:43] [INFO] [aaflalo-me] TLS version: 303 - Protocol: h2 - Cipher suite: 52392
[2018-06-14 18:58:43] [INFO] Advertised cert: [CN=dns.aaflalo.me] [0e32b8630dd470bc38e665603ea38a8071ed13d6beb893e0237b2ffe08285e14]
[2018-06-14 18:58:43] [INFO] Advertised cert: [CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US] [3e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db838]

@jedisct1
Copy link
Collaborator

@jedisct1 jedisct1 commented Jun 14, 2018

Thanks again, @Belphemur !

@Belphemur
Copy link
Contributor Author

@Belphemur Belphemur commented Jun 14, 2018

@jedisct1 Thanks for taking the time to merge it :)

@publicarray Yep it's normal, the basic idea of PiHole is to change the DNS record of the blocked domain to the IP of the server. The server will give back a specific page hosted by the server if accessed using http (will of course fail for https).

@jedisct1
Copy link
Collaborator

@jedisct1 jedisct1 commented Jun 14, 2018

the basic idea of PiHole is to change the DNS record of the blocked domain to the IP of the server.

This is how Open DNS made it in order to make money by displaying ads at a time where HTTPS wasn't widely deployed. But I don't think this is a good idea in all other contexts. Especially not in 2018.

This is lying, returning a fake IP. It breaks DNSSEC. Downstream resolvers may cache it. Applications will still consider the lookup as successful (RBL lists...)

And as HTTP (not S) websites are disappearing, users see security warnings that don't make any sense.

DNS defines a REFUSED return code. It's been there since the protocol was created.

If accessing something is refused no matter what the reason is, that standard return code should be used instead of pretending nothing happened and return a lie.

@Belphemur Belphemur deleted the patch-1 branch Jun 14, 2018
@Belphemur
Copy link
Contributor Author

@Belphemur Belphemur commented Jun 14, 2018

@jedisct1 I completely agree.

They only added in the latest dev (FTLDNS (their own fork of dnsmasq)) version the possibility to sent a REFUSED answer.

I'm waiting for it to be a little bit more stable (last time I tried, the DNS server crashed) to use it because I agree, this is how it should be.

Edit: seems to be more stable now, I've enable it to return NXDOMAIN for blocked domains.

@publicarray
Copy link
Member

@publicarray publicarray commented Jun 18, 2018

@Belphemur Thanks for your explanation and the server. Yes I also agree with NXDOMAIN/REFUSED answers 👍

@DNSCrypt DNSCrypt locked and limited conversation to collaborators Jul 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants