You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Wikidough

From Wikitech-static
Jump to navigation Jump to search

Wikidough ("Wiki DoH") is a caching, recursive DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver service.

It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.

For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough (currently restricted to Wikimedia Foundation staff).

A Note About Encrypted DNS

Please note that while DNS protocols such as DoH and DoT encrypt DNS queries between your client (like Firefox) and a resolver (Wikidough), an on-path observer (such as your ISP) can still identify which websites you are connecting to through the SNI field in the ClientHello message (currently unencrypted) or the IP address of the website. Nevertheless, given that DNS-based censorship and surveillance is often the easiest to implement, securing your DNS is a good first step towards improving your privacy. The Encrypted Client Hello extension (ECH; formerly called Encrypted SNI) to TLSv1.3 encrypts the SNI field and because of how it works, ECH requires encrypted DNS to be effective. Coupled together and once properly deployed, these two technologies will help address long-standing issues with privacy of users on the internet.

File:Wikidough Design.svg
Wikidough Design

Design

Wikidough has two primary components: a dnsdist frontend and a PowerDNS Recursor backend. The choice of two separate components in Wikidough is intentional and stems from the lack of support for new encrypted DNS protocols such as DoH and DoT in most recursive resolver software (including PowerDNS Recursor) as they only accept queries over traditional unencrypted DNS (UDP/53) from users.

Thus dnsdist provides the frontends for DoH and DoT and performs TLS termination, while the actual DNS lookups are performed by PowerDNS Recursor. Both of these components are running on the same host; dnsdist accepts queries from users (listening on 0.0.0.0/0 and ::/0) and sends them to a local PowerDNS Recursor instance (listening on 127.0.0.1).


Features

Encrypted DNS

Wikidough supports DoH on TCP/443 and DoT on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the differences between the protocols themselves.

Wikidough does not and has no plans to support unencrypted DNS over UDP/53 or TCP/53.

Modern TLS Protocols

Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ChaCha20-Poly1305.

[ Test for DoH | Test for DoT ]

No EDNS Client Subnet*

To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data centre.

EDNS-Client-Subnet is not enabled for queries destined for any other name servers.

[ Test to verify ECS is disabled | Test to verify ECS is enabled for queries to Wikimedia's DNS servers ]

Query Name Minimisation

Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.

[ Test to verify qname minimisation is enabled ]

DNSSEC

Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.

[ Test to verify DNSSEC is enabled and validated ]

EDNS(0) Padding

Wikidough currently does not support EDNS(0) Padding as described in RFC 7830 but support for it is upcoming.

Deployment

Wikidough is currently deployed as an anycasted service on all our PoPs.

Our current deployment of Wikidough runs dnsdist 1.6.1 and PowerDNS Recursor 4.5.7. Both of these are installed from backported Debian sid packages available at apt.wikimedia.org.

Source Code

The deployment of Wikidough corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough role and profile and customized with the configuration data from wikidough.yaml.

The configuration files for dnsdist can be found at dnsdist.conf.erb and for PowerDNS Recursor at recursor.conf.erb.

Testing

knead-wikidough is a test suite for the production testing of Wikidough. It helps validate the existing deployment of Wikidough by testing its TLS and DNS settings and the interaction of the dnsdist and PowerDNS Recursor components.

External Links