-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(dns): support DoH, DoT, DoH3, DoQ #649
Conversation
UPDATE!DoH3 scheme is h3 now time="Sep 24 17:15:26" level=trace msg="Received UDP(DNS) 192.168.33.244:52874 <-> 192.168.33.1:53: wq.io. A" And I will try to make both h3 and http3 work |
This is turely an exciting job! I will take the time to review it. |
Both h3 and http3 can be DoH3's scheme now |
Finally, someone has taken action on DNS. Awesome. |
I do not change the behavior of TCP dns and I just tested it works well
DoQ is working in process ODoH is on the plan |
control/dns_control.go
Outdated
for { | ||
_, err = conn.Write(data) | ||
if err != nil { | ||
if c.log.IsLevelEnabled(logrus.DebugLevel) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that this debug level check is not necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is for performance optimization
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is for performance optimization
I don't see where the performance optimization is here. In fact, the debugln method internally calls: https://github.com/sirupsen/logrus/blob/v1.9.3/entry.go#L303
Since DoH3 is broken by FakeNetPacketConn's implementation, I have forked the outbound package and temporary disable some code about quic.OOBCapablePacketConn implement, If you have any conclusions about this issue, please let me know. cc @mzz2017 |
DoQ support has been added |
Cool!
|
@douglarek DoQ should work with alidns now |
dae version unstable-20240926.pr-649.r17.bc5204 Doh upstream https://cloudflare-dns.com/dns-query [Sep 26 03:14:38] WARN handlePkt: Post "https://104.16.248.249:443/dns-query": tls: failed to verify certificate: x509: certificate is valid for 1.0.0.1, 1.1.1.1, 162.159.36.1, 162.159.46.1, 2606:4700:4700::1001, 2606:4700:4700::1111, 2606:4700:4700::64, 2606:4700:4700::6400, not 104.16.248.249 |
@tkszhzy Please run curl -v https://cloudflare-dns.com/dns-query on your computer and upload the outputs |
root@debian:~# curl -v https://cloudflare-dns.com/dns-query
|
by dns testing tool: root@debian:~# dnslookup www.yahoo.com https://cloudflare-dns.com/dns-query dnslookup result (elapsed 238.519706ms): ;; QUESTION SECTION: ;; ANSWER SECTION: |
This is because current DoH request not set the SNI, 104.16.248.249 is not just host DNS server, and CloudFlare does not provide a valid IP cert for this IP, so the cert check is fail, you can use IP URL like https://1.1.1.1/dns-query to avoid this issue. Also I have fix the issue, you can keep this usage. For this case and user who want use a self-host DoH server and user can get a IP certificate, set SNI is required. When SNI and HTTP host is mismatch, Cloudflare will return a 403
And for AliDNS, it return 200
So we also need to keep the SNI and HTTP host same, also keep them same is best, so I implement it. You can try the latest build. Feel free to report any issues or feedback. |
Latest build is cool . Thanks to all of dae team ! |
ODoH is too hard to find a proxy server, I give up to implement it, for guys who interest in DNS protocol like ODoH or DNS protocol has similar approach, you can have a look at https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md , it has more relay server available. |
msg id should set to 0 when transport over QUIC. https://github.com/natesales/q/blob/1cb2639caf69bd0a9b46494a3c689130df8fb24a/transport/quic.go#L97 https://datatracker.ietf.org/doc/html/rfc9250#section-4.2.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧪 Since the PR has been fully tested, please consider merging it.
Thanks for your awesome work! |
Background
dae lacks support for some encrypted DNS protocols, this PR adds support for DoH, DoT, DoH3, DoQ
TODO
Checklist
Full Changelogs
Issue Reference
Closes #321
Closes #583
Test Result
time="Sep 24 15:58:37" level=trace msg="Received UDP(DNS) 192.168.33.244:41532 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:58:37" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="tls://dns.google:853"
time="Sep 24 15:58:37" level=trace msg="Choose DNS path" choose="tcp+4" ipversions=[4 6] l4protos=[tcp] upstream="tls://dns.google:853" use="8.8.8.8:853"
time="Sep 24 15:58:37" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="tls://dns.google:853"
time="Sep 24 15:58:37" level=info msg="192.168.33.244:41532 <-> 8.8.8.8:853" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="tcp4(DNS)" outbound=direct pid=50022 pname=dig policy=fixed qtype=A
time="Sep 24 15:58:37" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0
time="Sep 24 15:57:36" level=trace msg="Received UDP(DNS) 192.168.33.244:50965 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:57:36" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="http3://dns.alidns.com:443"
time="Sep 24 15:57:36" level=trace msg="Choose DNS path" choose="udp+4" ipversions=[4 6] l4protos=[udp] upstream="http3://dns.alidns.com:443" use="223.5.5.5:443"
time="Sep 24 15:57:36" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="http3://dns.alidns.com:443"
time="Sep 24 15:57:36" level=info msg="192.168.33.244:50965 <-> 223.5.5.5:443" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="udp4(DNS)" outbound=direct pid=49833 pname=dig policy=fixed qtype=A
time="Sep 24 15:57:36" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0
time="Sep 24 15:56:57" level=trace msg="Received UDP(DNS) 192.168.33.244:39025 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:56:57" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="https://dns.alidns.com:443"
time="Sep 24 15:56:57" level=trace msg="Choose DNS path" choose="tcp+4" ipversions=[4 6] l4protos=[tcp] upstream="https://dns.alidns.com:443" use="223.5.5.5:443"
time="Sep 24 15:56:57" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="https://dns.alidns.com:443"
time="Sep 24 15:56:57" level=info msg="192.168.33.244:39025 <-> 223.5.5.5:443" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="tcp4(DNS)" outbound=direct pid=49693 pname=dig policy=fixed qtype=A
time="Sep 24 15:56:57" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0
Footnotes
https://datatracker.ietf.org/doc/html/rfc8484#section-4.1 ↩
https://www.rfc-editor.org/rfc/rfc9250.html#name-dns-message-ids ↩