DNS over HTTPS (server side)

I'm going to work on supporting DNS over HTTPS (updated in the meantime). It's going to be implemented as an extra handler for the http module similar to the /trace endpoint.

cc @vcunat @pspacek

added feature label

changed milestone to %2018 Q1

Well, OK. Only server-side support for now, I suppose.

As for the RFC, the primary motivation is

to prevent on-path network devices from interfering with DNS operations.

but the same can be achieved by serving DNS-over-TLS on port 443, as that's on-path unrecognizable from HTTPS. We've had server-side support for that for some time, and client-side support is being finished just now. For now they only define using the same DNS wire-format, so I can't ATM see much benefit of the additional HTTP layer.

AFAIK the main advantage right now is that DNS-over-HTTPS allows you to do queries from Javascript in web browser. For some reason there is certain demand for this ...

Yes, the main advantage is that it's easier to do from JS (as it can change message format based on content-type), and it can do server push and mix DNS with other content. If you look at who's behind both drafts, you'll get the idea who is interested in what.

@vavrusam Do I undestand correctly that this issue is not actively worked on?

I'm going to mark is as 'waiting for demand' because right now we have full hands with TLS and other stuff. Of course priorities might change if there is sufficient interent (and preferably a helping hand).

unassigned @vavrusam

added insufficient-demand label

removed milestone

We (Cloudflare) have built a module for this. I can make a PR when all the dependent PRs get merged.

removed insufficient-demand label

Nice! Hopefully things will get unblocked when we are done with NSEC 3 aggressive cache and cache refactoring (hopefully in next two weeks or so).

assigned to @vavrusam

Format changed slightly in https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/13 (and Firefox 62+) (Perhaps time update the summary above?)

mentioned in issue #243 (closed)

changed the description

changed title from DNS over HTTPS to DNS over HTTPS (server side)

Hi there, any news on how this is progressing @vavrusam ?

@pettai: we (knot resolver team) have WIP on this, and expect to release it soon.

assigned to @pspacek and unassigned @vavrusam

Cool, does that mean that its committed into gitlab already? (sorry, I'm not following the changelog nor the mailinglist(s), and this issue has not been updated with any progress)

I'd be happy to test this asap.

@pettai: yes, there's a branch, but you might prefer to wait a few days.

mentioned in merge request !799 (merged)

@pettai: now the MR is suitable for testing. It even has detailed user docs already. It most likely won't differ significantly from the way we'll release it.

closed via merge request !799 (merged)

mentioned in commit e806b5f9