Join GitHub today
Add support for DNS-over-HTTPS to systemd-resolved #8639
systemd version the issue has been seen with
Cloudflare’s new 22.214.171.124 DNS service supports both DNS-over-TLS (RFC 7858) and DNS-over-HTTPS (draft) according to their announcement. We already have an issue for supporting DNS-over-TLS (#5671), but I couldn’t find one for DNS-over-HTTPS support.
Google DNS also supports DNS-over-HTTPS (reference), but as far as I can tell it only supports JSON responses, not the DNS wire format used in the current version of the DNS-over-HTTPS draft. Cloudflare DNS supports both, depending on the
@lucaswerkmeister What would be the use case for DNS over HTTPS? It seems to be targeted at applications in constrained environments which permit only HTTP queries and no other network communication. A use case would be a WebRTC client that has to resolve a SRV RR to find a SIP server. Perhaps it is also possible to circumvent DNS censorship.
However, I don't see how DNS over HTTPS is of use in systemd. There will be support for DNS over TLS (#5671) soon. I also guess that DNS over HTTPS can easily be fingerprinted by its traffic pattern, so it's might only work until it is widely deployed. So it seems that DNS over HTTPS is only a more complicated encoding of DNS queries. HTTP does not seem to be of use here. But perhaps I overlooked some advantages.
And just to give an example why tunnelling another protocol over HTTPS does not really help against censorship, consider for example the relatively simple ip-https-discover NMAP rule that identifies the Microsoft DirectAccess protocol that tunnels IPv6 over HTTPS. A more sophisticated intrusion detection system could discover the hostname or IP address of the DNS over HTTPS resolver from the TLS handshake or IP header of network traffic or initial DNS queries, probe whether it is a DNS over HTTPS resolver and if so, insert a packet filter rule.
For Google Public DNS it would even suffice to not resolve dns.google.com and for 126.96.36.199 it would suffice to block 188.8.131.52, 184.108.40.206, 2606:4700:4700::1111, 2606:4700:4700::1001 and cloudflare-dns.com.