Implement DNS over TLS #558
Conversation
Add DNS over TLS functionality. Outstanding issues: - TLS certificate is not checked (DNS still works with incorrect hostname) - TLS hostname is hard-coded to Cloudflare's, when it should be different for the various DNS options
Next is to add the DoT hostname to the application state
Add logic to use DoT server. Entrypoint and UI need to be updated to support specifying the DoT server.
Implement some of the UI changes to support DoT.
|
Too much of a performance impact, declining the PR. |
Remove handshake step for each call, so previous session is used.
Instead of storing a separate socket address for DoT, just use the existing dnsServers socket addresses. Added a flag, dotEnabled, that determines whether a TCP (with TLS) or UDP connection should be used.
|
Still experiencing performance issues. Closing again. |
Realized new logic was tied into the flow incorrectly. Restructured, including removing the async call. Works as expected now. Going to perform some cleanup later.
|
Turns out the "performance issues" were caused by not tying the TCP connection into the main loop properly. That's been resolved. |
tkterris
force-pushed
the
198-dns-tls
branch
2 times, most recently
from
4b83cd3
to
12e25f0
Compare
Simplified the class inheritance of ForwardRule, and added hostname check to TLS connection.
|
Should there be some indication in the UI that a DNS server is using DoT? Perhaps by having a small lock icon next to the display name in the DNS server list? As it is, once the DNS server is selected, there's no indication that Blokada is using DoT. I've just been visiting 1.1.1.1/help to confirm that DoT is being used. Thoughts? |
When custom DNS is toggled off in the main UI, it instead turns of ad blocking, leaving the custom DNS enabled. Looks like this was due to a typo in some copy-pasted code. Resolved the typo, the DNS toggle now works as expected.
Remove an unneeded nullcheck on originEnvelope. Fixed code style warnings in DnsProxy. Updated method signature of forwardTls to match forwardUdp. Also fixed a small issue with the DNS creation flow, so that empty TLS servers are accepted.
Create a separate flow for DoT server setup, with a new button for DoT servers
You could change the server-like icon thats used for all DNS-related settings and change it to a lock. Maybe in a different/inverted color. |
Done. I left the existing server icon for most cases, but when a DoT server is selected (or listed in the DNS selection menu), it reuses the key-inside-a-shield icon. I put in a TODO, in case a new icon should be created. I noticed that the DoT server will only be used if adblocking and custom DNS are enabled, and the VPN is disabled. This is because the changes were only made to DnsProxy. When the Blokada VPN or DNS without adblocking are used, DnsProxy doesn't intercept the connections, so conventional DNS is used (see TunnelManagerFactory). Resolving these would be architectural decisions outside the scope of this PR (the design of the Google Play Store app for non-adblocking, and the design of the Blokada VPN for connecting to the VPN). |
Conflicts: app/src/ui-blokada/kotlin/core/bits/ActiveDnsVB.kt
|
Is there anything else I should do for this PR? |
|
Conflicts: app/src/ui-blokada/kotlin/core/Dns.kt
Whoops, I had missed that. I've merged in that branch. |
|
Any progress here? :) |
|
https://github.com/IngoZenz/personaldnsfilter has it implemented. |
could that be used for blokada? |
This change includes the v5 API changes, in this PR: #575 . Once that's merged in, this will be ready to go. |
|
Obsolete, DOH has been implemented in the latest version of Blokada. |
|
Not really. For instance my college's wifi blocks DoH but not DoT. They're not the same protocol at all |
Implement DNS over TLS functionality. Add a field "dotEnabled" to the DNS configuration model (Dns and DnsChoice), and a step in the custom DNS creation logic to support adding the DNS server hostname (e.g. 1dot1dot1dot1.cloudflare-dns.com).
This resolves issue #198