Add DNS over HTTPS service
This commit is contained in:
parent
f13523573a
commit
4f96496854
@ -113,6 +113,25 @@ nameserver fd42:5d71:219:0:1::43
|
||||
nameserver 172.20.20.65
|
||||
```
|
||||
|
||||
#### DNS over HTTPS (DoH)
|
||||
|
||||
* https://dns.burble.dn42/dns-query
|
||||
* https://[fd42:4242:2601:ac53::53]/dns-query
|
||||
* https://172.20.129.2/dns-query
|
||||
|
||||
The recursive DNS service supports DNS over HTTPS. The HTTPS service is signed by the
|
||||
burble.dn42 [Certificate Authority](/home/certificate-authority), and the CA certificate
|
||||
will be required by the DoH client in order to use the service. Unfortunately, the
|
||||
use of a self-signed CA means that OCSP stapling is not supported.
|
||||
|
||||
```
|
||||
$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
|
||||
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
|
||||
TTL: 3600 seconds
|
||||
A: 172.20.129.3
|
||||
AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001
|
||||
```
|
||||
|
||||
## Implementation
|
||||
|
||||
The DNS service is implemented as a tiered, anycast service with each node
|
||||
@ -122,15 +141,21 @@ in the network providing a local cache in front of five, regional, master nodes.
|
||||
|
||||
The ns1.burble.dn42 authoritative service is provided by [dnsdist](https://dnsdist.org/).
|
||||
Queries are forwarded to the nearest regional master node and responses are then cached.
|
||||
If the regional master is not available, the next nearest will be queried until a response is found.
|
||||
If the regional master is not available, the next nearest will be queried until a response
|
||||
is found.
|
||||
|
||||
The dns.burble.dn42 recursive service is provided by [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
|
||||
configured using the 'all-servers' mode. Queries are forwarded to all 5 regional masters in parallel
|
||||
and the first response received is then returned. This approach ensures users get the lowest latency
|
||||
results possible, regardless of location, and that any local connectivity issues do not impact the results.
|
||||
The dns.burble.dn42 recursive service is provided by
|
||||
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
|
||||
configured using the 'all-servers' mode. Queries are forwarded to all 5 regional masters
|
||||
in parallel and the first response received is then returned. This approach ensures users
|
||||
get the lowest latency results possible, regardless of location, and that any local
|
||||
connectivity issues do not impact the results.
|
||||
|
||||
Recursive queries are cached on the edge nodes and master nodes, creating a network wide cache
|
||||
of results across all users of the service.
|
||||
of results across all users of the service.
|
||||
|
||||
Each edge node also runs [m13253/dns-over-https](https://github.com/m13253/dns-over-https)
|
||||
to provide the DNS over HTTPS service.
|
||||
|
||||
Anycast routes to the DNS servers are advertised to the main Bird2 instance using
|
||||
[GoBGP](https://github.com/osrg/gobgp) and a health checking script.
|
||||
|
@ -10,6 +10,10 @@ A log of changes to the burble.dn42 network.
|
||||
|
||||
## burble.dn42 Maintenance Log
|
||||
|
||||
#### 17nd July 2019
|
||||
|
||||
DoH! The [DNS Service](/home/dns) now support DNS over HTTPS.
|
||||
|
||||
#### 22nd June 2019
|
||||
|
||||
Tidied up node information.
|
||||
|
@ -6,7 +6,7 @@ media_order: 'DN42 Map 181224.2.png'
|
||||
#burble.dn42
|
||||
|
||||
burble.dn42 is an experimental global network, part of [dn42](https://dn42.us/)
|
||||
By active peer count, burble.dn42 is the 3rd largest IPv4 and 2nd largest IPv6 network in dn42.
|
||||
By active peer count, burble.dn42 is currently the largest network in dn42.
|
||||
|
||||
#####Background
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user