Support DNS over HTTPS - RFC8484

[yaleman]

Methods / Routes

• POST to /dns-query - the body is the raw query bytes
• GET
  • /dns-query?dns={base64 encoded binary request} (RFC)
  • /dns-query?name=example.com&type=A (Google/Cloudflare - https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/)

Requirements

• handle the Accept request header
  • standard response is application/dns-message
  • also respond to application/dns-json?
• all valid DNS responses get a HTTP/200, even with a DNS message whose DNS rcode indicates failure, such as SERVFAIL or NXDOMAIN.
• HTTP 406 should come back if the "Accept" type doesn't match a supported one.
• HTTP 401 is to be used for REFUSED responses.
• The TTL shall be returned in the cache-control header - eg cache-control = max-age=3709
  • and should be the lowest in an RRSET (but I'm pretty sure that's handled by the datastore responder)
  • and should respect the SOA minimum if it's an empty response
• maximum size of the DNS message is 65535 bytes.

References

• https://www.rfc-editor.org/rfc/rfc8484
• https://superuser.com/questions/1532975/how-to-query-for-dns-over-https-dns-over-tls-using-command-line

Examples

JSON response

curl -s -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | jq .

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "example.com",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "example.com",
      "type": 1,
      "TTL": 74831,
      "data": "93.184.216.34"
    }
  ]
}

"traditional one"

curl -sH 'accept: application/dns-message' 'https://dns.google/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'  | hexdump -c

0000000   �   � 201 200  \0 001  \0 001  \0  \0  \0  \0 003   w   w   w
0000010  \a   e   x   a   m   p   l   e 003   c   o   m  \0  \0 001  \0
0000020 001   �  \f  \0 001  \0 001  \0  \0   Q   �  \0 004   ]   �   �
0000030   "
0000031