Bug 1200 - Does unbound support DNS-over-HTTPS (DoH)?
Does unbound support DNS-over-HTTPS (DoH)?
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.0
x86_64 Windows
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-06 05:08 CET by lenovo_me
Modified: 2018-10-12 20:16 CEST (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description lenovo_me 2017-01-06 05:08:38 CET
thanks
Comment 1 Wouter Wijngaards 2017-01-06 08:57:21 CET
Hi Lenovo_me,

No there is no support for this at the current time.  Unbound does support DNS over TLS, but that is without the HTTPS encoding.  Is there are reason you need it, a use case?

Best regards, Wouter
Comment 2 M Travis 2017-04-09 02:11:49 CEST
Here is the wiki page for Google's DNS service: https://www.everipedia.com/Google_Public_DNS/
Comment 3 nusenu 2018-06-17 20:51:24 CEST
In contrast to DoT, Firefox will ship DoH support. Would be nice to have this in unbound including DNSSEC over DoH (which is not supported by firefox yet).

https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
Comment 4 Wouter Wijngaards 2018-06-18 10:20:46 CEST
Hi,

Thanks for the links, and that is certainly moving DOH forwards with the nice Firefox implementation.

For Unbound, it could offer client and server side support.  For server side support of DOH, we (discussed here) and feel that nginx or apache module support could be best.  This can be deployed as a server on its own, or it can be deployed for a server that is already a webserver.  When the DNS requests over HTTP go to the server that is also the webserver the privacy guarantees are very good, because the information flows to the webserver that already has it.

For client support, getdns is currently working to implement DOH support (and https2 as well I believe) and that could be upcoming in a neartime release for getdns.

What was your interest, client or server?  And what sort of deployment, I mean set up, that seems a discussion point on DOH, and Firefox with a hardcoded destination (that works today, so its great), is one particular option, but asking the website is also very attractive.

Unbound could give an nginx or apache module DNS resolving capabilities with libunbound, which is nearly equally capable as the unbound DNS server (it doesn't have unbound-control statistics lookups).

Best regards, Wouter
Comment 5 nusenu 2018-06-18 10:54:18 CEST
Hi Wouter,

thanks for your quick reaction on this.

(In reply to Wouter Wijngaards from comment #4)
> What was your interest, client or server?  

I'm primarily interested in Unbound acting as a DoH server with DNSSEC support (DNSSEC records offered to the DoH client for validation), and to a lesser extend Unbound acting as a DoH client.

> And what sort of deployment, I
> mean set up, that seems a discussion point on DOH, and Firefox with a
> hardcoded destination (that works today, so its great), is one particular
> option, but asking the website is also very attractive.

A set up where a webserver offers DoH replies to a client (i.e. Firefox) that did not explicitly ask or configure that website as a TRR is outside the scope of the current DoH specification. On the last IETF DoH WG meeting (IETF101-DOH-20180322) DKG presented 
an idea of opportunistically providing DNS records to clients that did not ask for them, but there is no draft for that AFAIK.
Comment 6 j.vogt 2018-09-11 12:06:52 CEST
As DNS over HTTPS is coming into shape it would be great to have unbound acting as a DoH server. 

Perhaps you already know this link but here is an overview of the current implementation status of different privacy features for different servers:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status

There is also draft now for Associating a DoH Server with a Resolver.
https://tools.ietf.org/html/draft-hoffman-resolver-associated-doh-01
Comment 7 Benno Overeinder 2018-09-11 13:35:27 CEST
Hi,

(In reply to j.vogt from comment #6)
> As DNS over HTTPS is coming into shape it would be great to have unbound
> acting as a DoH server. 

Indeed, we do have some ideas to implement DoH in or with use of Unbound, but we do have some questions to operators how they would like to use a DoH server.  

Do you want to run the DoH service independently from other DNS services?  That is, (i) DoH service as a separate instance, running on its own (virtual) server or on shared infrastructure with other web services; or (ii) DoH as an integral service of Unbound, thus besides DNS over port 53 and DNS over TLS over port 853.

> Perhaps you already know this link but here is an overview of the current
> implementation status of different privacy features for different servers:
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status

Thank you for mentioning the pointer.  As a matter of fact, NLnet Labs is an active partner in dnsprivacy.org, together with Sinodun. 

> There is also draft now for Associating a DoH Server with a Resolver.
> https://tools.ietf.org/html/draft-hoffman-resolver-associated-doh-01

Thank you again.  We (the DNS Privacy partners) are closely following and participating in the DoH server discussion.  In the current discussion wrt. DoH the privacy considerations and consequences are not as thoroughly analysed as with the design of DNS over TLS standards.

Any feedback is welcome and looking forward to your comments.  Also your request for DoH support is appreciated.

Best regards,

-- Benno
Comment 8 j.vogt 2018-09-11 17:37:46 CEST
Hi
> Do you want to run the DoH service independently from other DNS services? 
> That is, (i) DoH service as a separate instance, running on its own
> (virtual) server or on shared infrastructure with other web services; or
> (ii) DoH as an integral service of Unbound, thus besides DNS over port 53
> and DNS over TLS over port 853.
I personally would prefer (ii), DoH as an integral service of unbound. I see it as an addition similar to DNS over TLS. Meaning: This is a DNS resolver, it does DNS resolver stuff - regardless of which way / port / whatever is used. 
This might also be a bit faster then making a separate proxy and sending the requests to another server (unbound). 
However, if you decide to implement it as a separat instance, I will also be happy to test this. 

Best regards
Josef