Requires [`getdns`](https://getdnsapi.net/) to be installed and
available for compilation (no guard rails setup yet):
- Use `brew install getdns` on macOS
- Install `libgetdns-dev` on debian/ubuntu
- (Nothing to see here Windows folks stuck in a backwards ecosysem)
## TODO/WAT
I finally grok the getdns api so the package api is going to change
wildly and fast. It’s only going to support DNS over TLS but will
support all types of DNS queries.
## Why?
Well, for starters, to help research DNS over TLS servers. Plus, for
fun\!
If you’re asking “Why DNS over TLS at all?” then “faux” privacy. Why
“faux”? Well, *something* is handing your query and that something
knows your IP address and what you looked for. So, you’re relying on the
good faith, honest nature and technical capability of the destination
server to not mess with you. I don’t trust Cloudflare or Google and am
witholding judgement on Quad9 either way (they’ve been doing good things
and are less “look at how cool we are” than CF is).
Also “faux” in that you’re going to be using a standard port (853) and a
TLS session for the queries so your internet provider will know you’re
doing *something* and the current, sorry state of SSL certificates,
certificate authorities, and authoritarian companies and regimes
combined means confidentiality and integrity are always kinda in
question unless done super-well.
## What’s Different About This vs Regular DNS?
Well, if we lookup the addresses for `yahoo.com` the old-fashioned way
it’s cleartext UDP on the
wire:
1 0.000000 10.1.10.57 → 10.1.10.200 DNS 80 Standard query 0x8af8 A yahoo.com OPT
2 0.003297 10.1.10.200 → 10.1.10.57 DNS 176 Standard query response 0x8af8 A yahoo.com A 72.30.35.10 A 98.138.219.231 A 72.30.35.9 A 98.137.246.7 A 98.138.219.232 A 98.137.246.8 OPT
I watched for port 53 UDP traffic with `tshark` as `yahoo.com` was being
looked up. Notice the fast and diminuitive — and plaintext — response.
(I’m fibbing a bit since I pre-loaded the local home DNS server with
this query since I tested it alot before knitting this readme. My home
server forwards all queries to a custom DNS over TLS server since I
really don’t trust any of the providers when it comes down to it. So, in
reality for me, it’s even slower than the below — at least initially).