Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've actually just written a blogpost about it. http://www.dmitry-ishkov.com/2016/09/dns-over-https.html You can run a local DNS server which is gonna use Google's DNS-over-HTTPS. But as eridius noticed you still have to resolve dns.google.com


There are several different implementations of proxies for DNS-over-HTTPS:

https://github.com/aarond10/https_dns_proxy (C) https://github.com/pforemski/dingo (Golang) https://github.com/tssva/dnshttps-proxy (Golang) https://github.com/wrouesnel/dns-over-https-proxy (Golang) https://github.com/CodeFalling/dns-proxy-https (Javascript)

I'd heard that somebody was working on DNS-over-HTTPS support for https://github.com/getdnsapi/getdns at the hackathon in Buenos Aires in April just before DNS-OARC / IETF-95, but have seen no evidence of that.


How fast does it work? What perceived latency does it have during usual web surfing?


I would not use that implementation. It is broken in multiple ways. The most impactful to normal browsing is that it only supports a couple of RR types which doesn't include CNAMES.


I didn't mention it in my original comment because I thought the code didn't exist anymore but I found an old Time Machine backup disk with the code on it for an updated version of the referenced implementation. I have put it up on Github at https://github.com/tssva/dnshttps-proxy. I need to throw up a README and give attribution. Will get to that later today.

This version will support all RR types supported by the miekg/dns library which is the vast majority of them and any you are likely to come across in the wild. It also allows you to specify regular DNS resolvers which can be used in two ways. As fallback if connectivity to the DNS over HTTPS service fails or to always use to resolve specific domains. It also allows you to restrict access to the proxy to certain networks. The rest of the code should be IPv6 friendly but for some reason I implemented the access list in a manner that only supports specifying IPv4 networks. Guess I have something to work on.

If no DNS resolvers are specified it attempts to use the Google Public DNS servers to resolve dns.google.com. If DNS resolvers are specified they are used to resolve dns.google.com. A flag to always use the Google Public DNS servers would be useful, so now I have 2 things to work on.

As far as performance impact I have generally seen from 20 - 80msec of additional delay. Using a caching resolver behind the proxy would help mitigate this. As is the additional delay is pretty much unnoticeable when web browsing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: