You are browsing a read-only backup copy of Wikitech. The live site can be found at


From Wikitech-static
Revision as of 00:54, 14 September 2021 by imported>Sukhbir Singh (add link to phab task)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

durum 🌾 (named after durum wheat) is a service that allows Wikidough users to check if they have correctly configured and are using Wikidough as their DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver.


Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of discovery mechanisms for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikidough correctly and that it is being used for their DNS lookups.

durum is served as a web application from and works by checking the origin of a * query. It does not log any user data and does not use any logged data to make this correlation but instead relies on gdnsd to determine if a user is using Wikidough or not.

How It Works

  • durum's server serves an HTML page with some JavaScript.
    • The JavaScript makes a request for $, where $UUID is a unique test ID generated by a client-side UUID generator.
      • The DNS lookup for $ happens from the client's local resolver. This is the step that tells us the resolver/recursor they are using.
  • gdnsd receives a query for $ and checks if the query originated from a Wikidough host.
    • If yes and the query for $ was from a Wikidough host IP, it returns the A record for yes.
    • If no, then it returns the A record for no.
  • The user's browser gets the resolved IP (yes or no) and proceeds to create a connection to it.
  • On durum's server, it listens on the two different yes and no IPs that return corresponding JSON responses: the yes IP returns {"result": true}, while the no IP returns {"result": false}.
  • The JavaScript code on checks the JSON response (true/false) and updates the HTML to display the check result.


You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.

If Wikidough is being used as your resolver, this should return a JSON response of {"result": true}:

curl https://check-${RANDOM}

Why the UUID?

In theory, we could just ask users to query for (or some other fixed address) instead of generating a fresh UUID every time the check is run. But since the DNS query for a non-unique name such as may be cached (by a local cache; your stub resolver; your recursor), it is important that every query for this test is unique and the UUID helps do that. Without this UUID, it is possible that you may get an incorrect cached response instead of the actual check response for your resolver; the UUID helps prevents such cases and is facilitated by the TTL for *, which is set to five seconds.


  • We do not log anything related to this service; not even the nginx access logs.
  • durum is not a generic "what is my DNS resolver" service, like or It is only meant to tell users if they are using Wikidough and not if they are using some other recursor.
  • durum is an anycasted service similar to Wikidough.