You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Wikidough: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>BryanDavis
(Show url to officewiki instructions)
imported>Sukhbir Singh
(explain why ECS needs to be enabled for queries to WMF auth servers)
Line 5: Line 5:


For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.
For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.
== Features ==
====== DNS-over-HTTPS and DNS-over-TLS ======
Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.
Wikidough does not support UDP/53.
====== TLS Protocols ======
Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes <code>ChaCha20-Poly1305</code>.
[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#132 Test for DoH] | [https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#90 Test for DoT]]
====== EDNS Client Subnet ======
To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for [https://github.com/gdnsd/gdnsd/wiki/GdnsdPluginGeoip gdnsd's GeoIP plugin] to function correctly to route users to their closest [[Clusters|Wikimedia data centre]].
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.
[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#133 Test to verify ECS is disabled] | [https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#102 Test to verify ECS is enabled for queries to Wikimedia's DNS servers]]
====== Query Name Minimisation ======
Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.
[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#207 Test to verify qname minimisation is enabled]]
====== DNSSEC ======
Wikidough is a DNSSEC validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with <code>SERVFAIL</code> in case of a bogus response.
[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#160 Test to verify DNSSEC is enabled and validated]]
====== IPv6 ======
Wikidough supports IPv6 for both its DoH and DoT frontends.


==External Links==
==External Links==

Revision as of 17:57, 5 January 2021

Wikidough ("Wiki DoH") is a caching, recursive DNS-over-HTTPS and DNS-over-TLS resolver service.

It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated, but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.

For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.

Features

DNS-over-HTTPS and DNS-over-TLS

Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.

Wikidough does not support UDP/53.

TLS Protocols

Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ChaCha20-Poly1305.

[Test for DoH | Test for DoT]

EDNS Client Subnet

To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data centre.

EDNS-Client-Subnet is not enabled for queries destined for any other name servers.

[Test to verify ECS is disabled | Test to verify ECS is enabled for queries to Wikimedia's DNS servers]

Query Name Minimisation

Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.

[Test to verify qname minimisation is enabled]

DNSSEC

Wikidough is a DNSSEC validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.

[Test to verify DNSSEC is enabled and validated]

IPv6

Wikidough supports IPv6 for both its DoH and DoT frontends.

External Links