You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Durum

From Wikitech-static
Revision as of 19:10, 14 September 2021 by imported>Sukhbir Singh (improve section headings)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

durum 🌾 (named after durum wheat) is a service that allows Wikidough users to check if they have correctly configured and are using Wikidough as their DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver.

Introduction

Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of discovery mechanisms for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikidough correctly and that it is being used for their DNS lookups.

durum is served as a web application from check.wikimedia-dns.org and works by checking the origin of a *.check.wikimedia-dns.org query. It does not log any user data and does not use any logged data to make this correlation but instead relies on gdnsd to determine if a user is using Wikidough or not.

How does this work?

  • durum's server serves an HTML page with some JavaScript.
    • The JavaScript makes a request for $UUID.check.wikimedia-dns.org/check/, where $UUID is a unique test ID generated by a client-side UUID generator.
      • The DNS lookup for $UUID.check.wikimedia-dns.org happens from the user's local resolver. This is the step that tells us the resolver/recursor they are using.
  • gdnsd receives a query for $UUID.check.wikimedia-dns.org and checks if the query originated from a Wikidough host.
    • If yes and the query for $UUID.check.wikimedia-dns.org was from a Wikidough host IP, it returns the A record for yes.
    • If no, then it returns the A record for no.
  • The user's browser gets the resolved IP (yes or no) and proceeds to create a connection to it.
  • On durum's server, it listens on the two different yes and no IPs that return corresponding JSON responses: the yes IP returns {"result": true}, while the no IP returns {"result": false}.
  • The JavaScript code on check.wikimedia-dns.org checks the JSON response (true/false) and updates the HTML to display the check result.

API

You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.

If Wikidough is being used as your resolver, this should return a JSON response of {"result": true}:

curl https://check-${RANDOM}.check.wikimedia-dns.org/check

Why the UUID?

In theory, we could just ask users to query for test.check.wikimedia-dns.org (or some other fixed address) instead of generating a fresh UUID every time the check is run. But since the DNS query for a non-unique name such as test.check.wikimedia-dns.org may be cached (by a local cache; your stub resolver; your recursor), it is important that every query for this test is unique and the UUID helps do that. Without this UUID, it is possible that you may get an incorrect cached response instead of the actual check response for your resolver; the UUID helps prevents such cases and is facilitated by the TTL for *.check.wikimedia-dns.org, which is set to five seconds.

Notes

  • We do not log anything related to this service; not even the nginx access logs.
  • durum is not a generic "what is my DNS resolver" service, like dnsleaktest.com or 1.1.1.1/help. It is only meant to tell users if they are using Wikidough and not if they are using some other recursor.
  • durum is an anycasted service similar to Wikidough.