You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org
It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated, but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.
For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough.
Wikidough supports DNS-over-HTTPS (DoH) on TCP/443 and DNS-over-TLS (DoT) on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the difference between the protocols themselves.
Wikidough does not support UDP/53.
Modern TLS Protocols
Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes
No EDNS Client Subnet*
To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data centre.
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.
Query Name Minimisation
Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.
Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with
SERVFAIL in case of a bogus response.
Wikidough supports IPv6 for both its DoH and DoT frontends.