You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Wikidough

From Wikitech-static
Revision as of 14:40, 6 January 2021 by imported>Sukhbir Singh (based on feedback, update headings)
Jump to navigation Jump to search
Tracked in Phabricator
Task T252132

Wikidough ("Wiki DoH") is a caching, recursive DNS-over-HTTPS and DNS-over-TLS resolver service.

It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated, but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.

For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.

Features

Secure DNS

Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.

Wikidough does not support UDP/53.

Modern TLS Protocols

Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ChaCha20-Poly1305.

[Test for DoH | Test for DoT]

No EDNS Client Subnet*

To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data centre.

EDNS-Client-Subnet is not enabled for queries destined for any other name servers.

[Test to verify ECS is disabled | Test to verify ECS is enabled for queries to Wikimedia's DNS servers]

Query Name Minimisation

Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.

[Test to verify qname minimisation is enabled]

DNSSEC

Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.

[Test to verify DNSSEC is enabled and validated]

IPv6

Wikidough supports IPv6 for both its DoH and DoT frontends.

External Links

Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Wikidough&oldid=577336"