You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Difference between revisions of "Durum"

From Wikitech-static
Jump to navigation Jump to search
imported>Sukhbir Singh
(add link to phab task)
 
imported>Sukhbir Singh
 
(One intermediate revision by the same user not shown)
Line 6: Line 6:
Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of [[w:Service_discovery|discovery mechanisms]] for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikidough correctly and that it is being used for their DNS lookups.
Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of [[w:Service_discovery|discovery mechanisms]] for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikidough correctly and that it is being used for their DNS lookups.


durum is served as a web application from [https://check.wikimedia-dns.org check.wikimedia-dns.org] and works by checking the origin of a <code>*.check.wikimedia-dns.org</code> query. It does not log any user data and does not use any logged data to make this correlation but instead relies on [[DNS|gdnsd]] to determine if a user is using Wikidough or not.
durum is served as a web application from [https://check.wikimedia-dns.org check.wikimedia-dns.org] and works by checking the origin of a <code>*.check.wikimedia-dns.org</code> query. It does not log any user data but instead relies on the source of a DNS query to make the distinction between Wikidough and some other recursor.


== How It Works ==
== How does this work? ==


* User navigates to [https://check.wikimedia-dns.org check.wikimedia-dns.org] from their browser.
* User navigates to [https://check.wikimedia-dns.org check.wikimedia-dns.org] from their browser.
Line 14: Line 14:
* durum's server serves an HTML page with some JavaScript.
* durum's server serves an HTML page with some JavaScript.
** The JavaScript makes a request for ''$UUID.check.wikimedia-dns.org/check/'', where ''$UUID'' is a unique test ID generated by a client-side UUID generator.
** The JavaScript makes a request for ''$UUID.check.wikimedia-dns.org/check/'', where ''$UUID'' is a unique test ID generated by a client-side UUID generator.
*** The DNS lookup for ''$UUID.check.wikimedia-dns.org'' happens from the client's local resolver. This is the step that tells us the resolver/recursor they are using.
*** If the user is using Wikidough: The query goes to Wikidough and it returns an IP for ''*.check.wikimedia-dns.org'', depending on if the query was received on the DoH port (443) or the DoT port (853).
****The query ''is not'' forwarded to ''gdnsd'' as Wikidough returns the IPs itself.
****The two different IPs allow us to differentiate if the user is using DoH or DoT.
***If the user is not using Wikidough: The query goes through their recursor to ''gdnsd'' which returns the IP address for ''*.check.wikimedia-dns.org''. Essentially, ''no.check.wikimedia-dns.org'', since if the query went to ''gdnsd'', they are not using Wikidough.


* ''gdnsd'' receives a query for ''$UUID.check.wikimedia-dns.org'' and checks if the query originated from a Wikidough host.
* The user's browser gets the resolved IP (''yes'' for DoH, DoT; or ''no'') and proceeds to create a connection to it.
** If yes and the query for ''$UUID.check.wikimedia-dns.org'' was from a Wikidough host IP, it returns the ''A record'' for ''yes''.
** If no, then it returns the ''A record'' for ''no''.


* The user's browser gets the resolved IP (''yes'' or ''no'') and proceeds to create a connection to it.
* On durum's server, it listens on the three different IPs: (two) ''yes'' and (one) ''no'' that return corresponding JSON responses: the ''yes'' IP returns <code>{"result": true, "service": "DoH"}</code> or <code>{"result": true, "service": "DoT"}</code>, while the ''no'' IP returns <code>{"result": false}</code>.


* On durum's server, it listens on the two different ''yes'' and ''no'' IPs that return corresponding JSON responses: the ''yes'' IP returns <code>{"result": true}</code>, while the ''no'' IP returns <code>{"result": false}</code>.
* The JavaScript code on <code>check.wikimedia-dns.org</code> checks the JSON response and updates the HTML to display the check result.
 
* The JavaScript code on <code>check.wikimedia-dns.org</code> checks the JSON response (true/false) and updates the HTML to display the check result.


== API ==
== API ==
Line 30: Line 29:
You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.
You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.


If Wikidough is being used as your resolver, this should return a JSON response of <code>{"result": true}</code>:
If Wikidough is being used as your resolver, this should return a JSON response of <code>{"result": true, "service": "DoH/DoT"}</code>:


  curl https://check-${RANDOM}.check.wikimedia-dns.org/check
  curl https://check-${RANDOM}.check.wikimedia-dns.org/check

Latest revision as of 20:10, 7 December 2021

durum 🌾 (named after durum wheat) is a service that allows Wikidough users to check if they have correctly configured and are using Wikidough as their DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver.

Introduction

Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of discovery mechanisms for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikidough correctly and that it is being used for their DNS lookups.

durum is served as a web application from check.wikimedia-dns.org and works by checking the origin of a *.check.wikimedia-dns.org query. It does not log any user data but instead relies on the source of a DNS query to make the distinction between Wikidough and some other recursor.

How does this work?

  • durum's server serves an HTML page with some JavaScript.
    • The JavaScript makes a request for $UUID.check.wikimedia-dns.org/check/, where $UUID is a unique test ID generated by a client-side UUID generator.
      • If the user is using Wikidough: The query goes to Wikidough and it returns an IP for *.check.wikimedia-dns.org, depending on if the query was received on the DoH port (443) or the DoT port (853).
        • The query is not forwarded to gdnsd as Wikidough returns the IPs itself.
        • The two different IPs allow us to differentiate if the user is using DoH or DoT.
      • If the user is not using Wikidough: The query goes through their recursor to gdnsd which returns the IP address for *.check.wikimedia-dns.org. Essentially, no.check.wikimedia-dns.org, since if the query went to gdnsd, they are not using Wikidough.
  • The user's browser gets the resolved IP (yes for DoH, DoT; or no) and proceeds to create a connection to it.
  • On durum's server, it listens on the three different IPs: (two) yes and (one) no that return corresponding JSON responses: the yes IP returns {"result": true, "service": "DoH"} or {"result": true, "service": "DoT"}, while the no IP returns {"result": false}.
  • The JavaScript code on check.wikimedia-dns.org checks the JSON response and updates the HTML to display the check result.

API

You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.

If Wikidough is being used as your resolver, this should return a JSON response of {"result": true, "service": "DoH/DoT"}:

curl https://check-${RANDOM}.check.wikimedia-dns.org/check

Why the UUID?

In theory, we could just ask users to query for test.check.wikimedia-dns.org (or some other fixed address) instead of generating a fresh UUID every time the check is run. But since the DNS query for a non-unique name such as test.check.wikimedia-dns.org may be cached (by a local cache; your stub resolver; your recursor), it is important that every query for this test is unique and the UUID helps do that. Without this UUID, it is possible that you may get an incorrect cached response instead of the actual check response for your resolver; the UUID helps prevents such cases and is facilitated by the TTL for *.check.wikimedia-dns.org, which is set to five seconds.

Notes

  • We do not log anything related to this service; not even the nginx access logs.
  • durum is not a generic "what is my DNS resolver" service, like dnsleaktest.com or 1.1.1.1/help. It is only meant to tell users if they are using Wikidough and not if they are using some other recursor.
  • durum is an anycasted service similar to Wikidough.