You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org
It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.
For getting started and configuration instructions, see https://office.wikimedia.org/wiki/SRE/Wikidough (currently restricted to Wikimedia Foundation staff).
A Note About Encrypted DNS
Please note that while DNS protocols such as DoH and DoT encrypt DNS queries between your client (like Firefox) and a resolver (Wikidough), an on-path observer (such as your ISP) can still identify which websites you are connecting to through the SNI field in the ClientHello message (currently unencrypted) or the IP address of the website. Nevertheless, given that DNS-based censorship and surveillance is often the easiest to implement, securing your DNS is a good first step towards improving your privacy. The Encrypted Client Hello extension (ECH; formerly called Encrypted SNI) to TLSv1.3 encrypts the SNI field and because of how it works, ECH requires encrypted DNS to be effective. Coupled together and once properly deployed, these two technologies will help address long-standing issues with privacy of users on the internet.
Wikidough has two primary components: a dnsdist frontend and a PowerDNS Recursor backend. The choice of two separate components in Wikidough is intentional and stems from the lack of support for new encrypted DNS protocols such as DoH and DoT in most recursive resolver software (including PowerDNS Recursor) as they only accept queries over traditional unencrypted DNS (UDP/53) from users.
Thus dnsdist provides the frontends for DoH and DoT and performs TLS termination, while the actual DNS lookups are performed by PowerDNS Recursor. Both of these components are running on the same host; dnsdist accepts queries from users (listening on 0.0.0.0/0 and ::/0) and sends them to a local PowerDNS Recursor instance (listening on 127.0.0.1).
Wikidough supports DoH on TCP/443 and DoT on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikidough, but users are reminded to be mindful of the differences between the protocols themselves.
Wikidough does not and has no plans to support unencrypted DNS over UDP/53 or TCP/53.
Modern TLS Protocols
Wikidough supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikidough prioritizes ChaCha20-Poly1305.
No EDNS Client Subnet*
To preserve the privacy of clients and their IP addresses, Wikidough does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikidough shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data center.
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.
Query Name Minimisation
Wikidough supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikidough and because of query name minimisation, Wikidough only reveals wikipedia.org to the .org name server and not the en.m label.
Wikidough is a DNSSEC-validating resolver. Wikidough will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.
Wikidough supports IPv6 for both its DoH and DoT frontends.
Wikidough is currently deployed as an anycasted service on all our PoPs.
Our current deployment of Wikidough runs dnsdist 1.6.1 and PowerDNS Recursor 4.6.0. Both of these are installed from backported Debian sid packages available at apt.wikimedia.org.
The deployment of Wikidough corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough role and profile and customized with the configuration data from wikidough.yaml.
knead-wikidough is a test suite for the production testing of Wikidough. It helps validate the existing deployment of Wikidough by testing its TLS and DNS settings and the interaction of the dnsdist and PowerDNS Recursor components.
durum is the check service for Wikidough.
To ensure that you have correctly configured and are using Wikidough, please visit the Wikidough check page at check.wikimedia-dns.org.
- Troubleshooting: blocking IP addresses, rate-limiting.
- Administration: adding a new Wikidough host.
- Monitoring: details about Icinga checks.