Methods are provided to query 'Domain Name System' ('DNS') stub and recursive resolvers for all 'DNS' resource record types using 'UDP', 'TCP', and/or 'TLS' transport layers. 'DNS' query support is provided by the 'getdns' (<getdnsapi.net>) C library.
Perform and process 'DNS over TLS' and 'DNS over HTTPS' queries.
## NOTE
## NOTE
@ -35,15 +35,15 @@ I've gotten this running on macOS and Ubuntu 16.04. For the latter I had to ensu
## TODO/WAT
## TODO/WAT
I finally grok the getdns api so the package api is going to change wildly and fast. The default mode will be to perform queries using DNS over TLS but support is also provided for UDP and TCP transports and either stub or recursive resolvers.
I finally grok the getdns api so the package api is going to change wildly and fast. The default mode will be to perform queries using DNS over TLS but also supports UDP and TCP transports along with support for DNS over HTTPS.
## Why?
## Why?
Well, for starters, to help research DNS over TLS servers. Plus, for fun!
Well, for starters, to help research DNS over TLS/DNS over HTTPS servers. Plus, for fun!
If you're asking "Why DNS over TLS at all?" then "faux" privacy. Why "faux"? Well, _something_ is handing your query and that something knows your IP address and what you looked for. So, you're relying on the good faith, honest nature and technical capability of the destination server to not mess with you. I don't trust Cloudflare or Google and am witholding judgement on Quad9 either way (they've been doing good things and are less "look at how cool we are" than CF is).
If you're asking "Why DNS over TLS/HTTPS at all?" then "faux" privacy. Why "faux"? Well, _something_ is handing your query and that something knows your IP address and what you looked for. So, you're relying on the good faith, honest nature and technical capability of the destination server to not mess with you. I don't trust Cloudflare or Google and am witholding judgement on Quad9 either way (they've been doing good things and are less "look at how cool we are" than CF is).
Also "faux" in that you're going to be using a standard port (853) and a TLS session for the queries so your internet provider will know you're doing _something_ and the current, sorry state of SSL certificates, certificate authorities, and authoritarian companies and regimes combined means confidentiality and integrity are always kinda in question unless done super-well.
Also "faux" in that you're going to be using (for DoT) a standard port (853) and a TLS session for the queries so your internet provider will know you're doing _something_ and the current, sorry state of SSL certificates, certificate authorities, and authoritarian companies and regimes combined means confidentiality and integrity are always kinda in question unless done super-well.
## What's Different About This vs Regular DNS?
## What's Different About This vs Regular DNS?
@ -85,28 +85,42 @@ It's stupid slow, consumes more CPU and bandwidth but forces adversaries to work
The following functions are implemented:
The following functions are implemented:
### Utility
- `to_inaddr_arpa`: Convert a vector of IPv4 addresses to in-addr.arpa format
### DNS over HTTPS
- `doh_post`: Make a DoH Request (POST/wireformat)
- `doh_servers`: Built-in list of DoH servers.
- `tidy.gdns_doh_response`: Tidy a DoH POST response
### DNS over TLS
- `gdns_query`: Arbitrary DNS queries
- `gdns_context`: Create a gdns DNS over TLS context and populate it with a resolver for use in resolution functions
- `gdns_context`: Create a gdns DNS over TLS context and populate it with a resolver for use in resolution functions
- `gdns_get_address`: Resolve a host to an addrss
- `gdns_get_address`: Resolve a host to an addrss
- `gdns_get_resolution_type`: Get the current resolution type setting
- `gdns_get_resolution_type`:Get the current resolution type setting
- `gdns_get_timeout`: Retreive the number of milliseconds to wait for request to return
- `gdns_get_timeout`: Retreive the number of milliseconds to wait for request to return
- `gdns_get_tls_ca_file`: Retreive the file location with CA certificates for verification purposes
- `gdns_get_tls_ca_file`:Retreive the file location with CA certificates for verification purposes
- `gdns_get_tls_ca_path`: Retreive the value with which the context's upstream recursive servers and suffixes were initialized
- `gdns_get_tls_ca_path`:Retreive the value with which the context's upstream recursive servers and suffixes were initialized
- `gdns_get_transports`: Retreive what transports are used for DNS lookups.
- `gdns_get_transports`:Retreive what transports are used for DNS lookups.
- `gdns_lib_version`: Return gdns library version
- `gdns_lib_version`: Return gdns library version
- `gdns_query`: Arbitrary DNS queries
- `gdns_set_hosts`: Initialized the context's local names namespace with values from the given hosts file.
- `gdns_set_hosts`: Initialized the context's local names namespace with values from the given hosts file.
- `gdns_set_resolution_type`: Specify whether DNS queries are performed with recursive lookups or as a stub resolver
- `gdns_set_resolution_type`:Specify whether DNS queries are performed with recursive lookups or as a stub resolver
- `gdns_set_round_robin_upstreams`: Set/unset context to round robin queries over the available upstreams when resolving with the stub resolution type.
- `gdns_set_round_robin_upstreams`: Set/unset context to round robin queries over the available upstreams when resolving with the stub resolution type.
- `gdns_set_timeout`: Specify the number of milliseconds to wait for request to return
- `gdns_set_timeout`: Specify the number of milliseconds to wait for request to return
- `gdns_set_tls_ca_file`:Specify the file with CA certificates for verification purposes
- `gdns_set_tls_ca_file`:Specify the file with CA certificates for verification purposes
- `gdns_set_tls_ca_path`:Specify where the location for CA certificates for verification purposes are located
- `gdns_set_tls_ca_path`:Specify where the location for CA certificates for verification purposes are located
- `gdns_set_transports`:Specifies what transport(s) is/ar used for DNS lookups
- `gdns_set_transports`:Specifies what transport(s) is/ar used for DNS lookups
- `gdns_update_resolvers`: Changes the list of resolvers in an already created context for use in resolution functions
- `gdns_update_resolvers`: Changes the list of resolvers in an already created context for use in resolution functions
Methods are provided to query ‘Domain Name System’ (‘DNS’) stub and
Perform and process ‘DNS over TLS’ and ‘DNS over HTTPS’ queries.
recursive resolvers for all ‘DNS’ resource record types using ‘UDP’,
‘TCP’, and/or ‘TLS’ transport layers. ‘DNS’ query support is provided
by the ‘getdns’ (\<getdnsapi.net\>) C library.
## NOTE
## NOTE
@ -39,34 +36,33 @@ extract it and `config`/`make`/`make install` (plus `ldconfig` after).
I finally grok the getdns api so the package api is going to change
I finally grok the getdns api so the package api is going to change
wildly and fast. The default mode will be to perform queries using DNS
wildly and fast. The default mode will be to perform queries using DNS
over TLS but support is also provided for UDP and TCP transports and
over TLS but also supports UDP and TCP transports along with support for
either stub or recursive resolvers.
DNS over HTTPS.
## Why?
## Why?
Well, for starters, to help research DNS over TLS servers. Plus, for
Well, for starters, to help research DNS over TLS/DNS over HTTPS
fun\!
servers. Plus, for fun\!
If you’re asking “Why DNS over TLS at all?” then “faux” privacy. Why
If you’re asking “Why DNS over TLS/HTTPS at all?” then “faux” privacy.
“faux”? Well, *something* is handing your query and that something
Why “faux”? Well, *something* is handing your query and that something
knows your IP address and what you looked for. So, you’re relying on the
knows your IP address and what you looked for. So, you’re relying on the
good faith, honest nature and technical capability of the destination
good faith, honest nature and technical capability of the destination
server to not mess with you. I don’t trust Cloudflare or Google and am
server to not mess with you. I don’t trust Cloudflare or Google and am
witholding judgement on Quad9 either way (they’ve been doing good things
witholding judgement on Quad9 either way (they’ve been doing good things
and are less “look at how cool we are” than CF is).
and are less “look at how cool we are” than CF is).
Also “faux” in that you’re going to be using a standard port (853) and a
Also “faux” in that you’re going to be using (for DoT) a standard port
TLS session for the queries so your internet provider will know you’re
(853) and a TLS session for the queries so your internet provider will
doing *something* and the current, sorry state of SSL certificates,
know you’re doing *something* and the current, sorry state of SSL
certificate authorities, and authoritarian companies and regimes
certificates, certificate authorities, and authoritarian companies and
combined means confidentiality and integrity are always kinda in
regimes combined means confidentiality and integrity are always kinda in
question unless done super-well.
question unless done super-well.
## What’s Different About This vs Regular DNS?
## What’s Different About This vs Regular DNS?
Well, if we lookup the addresses for `yahoo.com` the old-fashioned way
Well, if we lookup the addresses for `yahoo.com` the old-fashioned way
it’s cleartext UDP on the
it’s cleartext UDP on the wire:
wire:
1 0.000000 10.1.10.57 → 10.1.10.200 DNS 80 Standard query 0x8af8 A yahoo.com OPT
1 0.000000 10.1.10.57 → 10.1.10.200 DNS 80 Standard query 0x8af8 A yahoo.com OPT
2 0.003297 10.1.10.200 → 10.1.10.57 DNS 176 Standard query response 0x8af8 A yahoo.com A 72.30.35.10 A 98.138.219.231 A 72.30.35.9 A 98.137.246.7 A 98.138.219.232 A 98.137.246.8 OPT
2 0.003297 10.1.10.200 → 10.1.10.57 DNS 176 Standard query response 0x8af8 A yahoo.com A 72.30.35.10 A 98.138.219.231 A 72.30.35.9 A 98.137.246.7 A 98.138.219.232 A 98.137.246.8 OPT
@ -79,8 +75,7 @@ server forwards all queries to a custom DNS over TLS server since I
really don’t trust any of the providers when it comes down to it. So, in
really don’t trust any of the providers when it comes down to it. So, in
reality for me, it’s even slower than the below — at least initially).
reality for me, it’s even slower than the below — at least initially).