You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Wikidough: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Sukhbir Singh
(based on feedback, update headings)
imported>Sukhbir Singh
(refer to the Wikidough hierdata file)
Line 2: Line 2:
'''Wikidough''' ("''Wiki DoH''") is a caching, recursive [[w:DNS over HTTPS|DNS-over-HTTPS]] and [[w:DNS over TLS|DNS-over-TLS]] resolver service.
'''Wikidough''' ("''Wiki DoH''") is a caching, recursive [[w:DNS over HTTPS|DNS-over-HTTPS]] and [[w:DNS over TLS|DNS-over-TLS]] resolver service.


It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated, but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.
It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.


For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.
For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.
== Design ==
Wikidough has two primary components: a ''dnsdist'' frontend and a ''PowerDNS Recursor'' backend. The choice of two separate components in Wikidough is intentional and stems from the lack of support for new encrypted DNS protocols such as DoH and DoT in most recursive resolver software (including PowerDNS Recursor) as they only accept queries over traditional unencrypted DNS (UDP/53) from users.
Thus dnsdist provides the frontends for DoH and DoT and performs TLS termination, while the actual DNS lookups are performed by PowerDNS Recursor. Both of these components are running on the same host; dnsdist accepts queries from users (listening on ''0.0.0.0/0'' and ''::/0'') and sends them to a local PowerDNS Recursor instance (listening on ''127.0.0.1'').


== Features ==  
== Features ==  
Line 12: Line 18:
Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.
Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.


Wikidough does not support UDP/53.
Wikidough does not and has no plans to support unencrypted DNS over UDP/53.


====== Modern TLS Protocols ======
====== Modern TLS Protocols ======


Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes <code>ChaCha20-Poly1305</code>.
Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ''ChaCha20-Poly1305''.


[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#132 Test for DoH] | [https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#90 Test for DoT]]
[ [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#132|Test for DoH]] | [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_tls.py#90|Test for DoT]] ]


====== No EDNS Client Subnet* ======  
====== No EDNS Client Subnet* ======  
Line 26: Line 32:
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.


[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#133 Test to verify ECS is disabled] | [https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#102 Test to verify ECS is enabled for queries to Wikimedia's DNS servers]]
[ [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#133|Test to verify ECS is disabled]] | [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#102|Test to verify ECS is enabled for queries to Wikimedia's DNS servers]] ]


====== Query Name Minimisation ======
====== Query Name Minimisation ======
Line 32: Line 38:
Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.
Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.


[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#207 Test to verify qname minimisation is enabled]]
[ [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#207|Test to verify qname minimisation is enabled]] ]


====== DNSSEC ======
====== DNSSEC ======


Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with <code>SERVFAIL</code> in case of a bogus response.
Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with ''SERVFAIL'' in case of a bogus response.


[[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#160 Test to verify DNSSEC is enabled and validated]]
[ [[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master/tests/test_dns.py#160|Test to verify DNSSEC is enabled and validated]] ]


====== IPv6 ======
====== IPv6 ======


Wikidough supports IPv6 for both its DoH and DoT frontends.
Wikidough supports IPv6 for both its DoH and DoT frontends.
== Deployment ==
There is currently only one deployed instance of Wikidough at the [[Codfw_cluster|Codfw]] cluster but we have plans for deployment on [[Clusters|all our PoPs]].
Our current deployment of Wikidough runs dnsdist 1.5.0 (with [https://github.com/PowerDNS/pdns/pull/9510 a patch to add support for SSL_OP_PRIORITIZE_CHACHA]) and PowerDNS Recursor 4.3.3. Both of these are installed from backported Debian ''testing'' packages available at [https://apt.wikimedia.org/wikimedia/dists/buster-wikimedia/component/ apt.wikimedia.org].
=== Source Code ===
The deployment of Wikidough corresponds to the source code in our [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production|Puppet repository]]. The [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsdist/|dnsdist module]] covers setting up and configuring a dnsdist instance, the [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsrecursor/|dnsrecursor module]] does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/role/manifests/wikidough.pp|role]] and [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/profile/manifests/wikidough.pp|profile]] and customized with the configuration data from [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/hieradata/role/common/wikidough.yaml|wikidough.yaml]].
The configuration files for dnsdist can be found at [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsdist/templates/dnsdist.conf.erb|dnsdist.conf.erb]] and for PowerDNS Recursor at [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsrecursor/templates/recursor.conf.erb|recursor.conf.erb]].
=== Testing ===
[[gerrit:plugins/gitiles/operations/software/knead-wikidough/+/refs/heads/master|knead-wikidough]] is a test suite for the production testing of Wikidough. It helps validate the existing deployment of Wikidough by testing its TLS and DNS settings and the interaction of the dnsdist and PowerDNS Recursor components.


==External Links==
==External Links==

Revision as of 21:18, 7 January 2021

Wikidough ("Wiki DoH") is a caching, recursive DNS-over-HTTPS and DNS-over-TLS resolver service.

It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.

For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.

Design

Wikidough has two primary components: a dnsdist frontend and a PowerDNS Recursor backend. The choice of two separate components in Wikidough is intentional and stems from the lack of support for new encrypted DNS protocols such as DoH and DoT in most recursive resolver software (including PowerDNS Recursor) as they only accept queries over traditional unencrypted DNS (UDP/53) from users.

Thus dnsdist provides the frontends for DoH and DoT and performs TLS termination, while the actual DNS lookups are performed by PowerDNS Recursor. Both of these components are running on the same host; dnsdist accepts queries from users (listening on 0.0.0.0/0 and ::/0) and sends them to a local PowerDNS Recursor instance (listening on 127.0.0.1).

Features

Secure DNS

Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.

Wikidough does not and has no plans to support unencrypted DNS over UDP/53.

Modern TLS Protocols

Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ChaCha20-Poly1305.

[ Test for DoH | Test for DoT ]

No EDNS Client Subnet*

To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data centre.

EDNS-Client-Subnet is not enabled for queries destined for any other name servers.

[ Test to verify ECS is disabled | Test to verify ECS is enabled for queries to Wikimedia's DNS servers ]

Query Name Minimisation

Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.

[ Test to verify qname minimisation is enabled ]

DNSSEC

Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.

[ Test to verify DNSSEC is enabled and validated ]

IPv6

Wikidough supports IPv6 for both its DoH and DoT frontends.

Deployment

There is currently only one deployed instance of Wikidough at the Codfw cluster but we have plans for deployment on all our PoPs.

Our current deployment of Wikidough runs dnsdist 1.5.0 (with a patch to add support for SSL_OP_PRIORITIZE_CHACHA) and PowerDNS Recursor 4.3.3. Both of these are installed from backported Debian testing packages available at apt.wikimedia.org.

Source Code

The deployment of Wikidough corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough role and profile and customized with the configuration data from wikidough.yaml.

The configuration files for dnsdist can be found at dnsdist.conf.erb and for PowerDNS Recursor at recursor.conf.erb.

Testing

knead-wikidough is a test suite for the production testing of Wikidough. It helps validate the existing deployment of Wikidough by testing its TLS and DNS settings and the interaction of the dnsdist and PowerDNS Recursor components.

External Links