From 4f96496854f42e6b9d0283a6d59a8d98544230dd Mon Sep 17 00:00:00 2001 From: Simon Marsh Date: Wed, 17 Jul 2019 19:31:24 +0100 Subject: [PATCH] Add DNS over HTTPS service --- pages/01.home/dns/default.md | 37 ++++++++++++++++++++---- pages/01.home/maintenance-log/default.md | 4 +++ pages/04.about/default.md | 2 +- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/pages/01.home/dns/default.md b/pages/01.home/dns/default.md index 51bca37..2876e5a 100755 --- a/pages/01.home/dns/default.md +++ b/pages/01.home/dns/default.md @@ -113,6 +113,25 @@ nameserver fd42:5d71:219:0:1::43 nameserver 172.20.20.65 ``` +#### DNS over HTTPS (DoH) + +* https://dns.burble.dn42/dns-query +* https://[fd42:4242:2601:ac53::53]/dns-query +* https://172.20.129.2/dns-query + +The recursive DNS service supports DNS over HTTPS. The HTTPS service is signed by the +burble.dn42 [Certificate Authority](/home/certificate-authority), and the CA certificate +will be required by the DoH client in order to use the service. Unfortunately, the +use of a self-signed CA means that OCSP stapling is not supported. + +``` +$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query +burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query +TTL: 3600 seconds +A: 172.20.129.3 +AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001 +``` + ## Implementation The DNS service is implemented as a tiered, anycast service with each node @@ -122,15 +141,21 @@ in the network providing a local cache in front of five, regional, master nodes. The ns1.burble.dn42 authoritative service is provided by [dnsdist](https://dnsdist.org/). Queries are forwarded to the nearest regional master node and responses are then cached. -If the regional master is not available, the next nearest will be queried until a response is found. +If the regional master is not available, the next nearest will be queried until a response +is found. -The dns.burble.dn42 recursive service is provided by [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) -configured using the 'all-servers' mode. Queries are forwarded to all 5 regional masters in parallel -and the first response received is then returned. This approach ensures users get the lowest latency -results possible, regardless of location, and that any local connectivity issues do not impact the results. +The dns.burble.dn42 recursive service is provided by +[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) +configured using the 'all-servers' mode. Queries are forwarded to all 5 regional masters +in parallel and the first response received is then returned. This approach ensures users +get the lowest latency results possible, regardless of location, and that any local +connectivity issues do not impact the results. Recursive queries are cached on the edge nodes and master nodes, creating a network wide cache -of results across all users of the service. +of results across all users of the service. + +Each edge node also runs [m13253/dns-over-https](https://github.com/m13253/dns-over-https) +to provide the DNS over HTTPS service. Anycast routes to the DNS servers are advertised to the main Bird2 instance using [GoBGP](https://github.com/osrg/gobgp) and a health checking script. diff --git a/pages/01.home/maintenance-log/default.md b/pages/01.home/maintenance-log/default.md index 119017b..6b140b6 100755 --- a/pages/01.home/maintenance-log/default.md +++ b/pages/01.home/maintenance-log/default.md @@ -10,6 +10,10 @@ A log of changes to the burble.dn42 network. ## burble.dn42 Maintenance Log +#### 17nd July 2019 + +DoH! The [DNS Service](/home/dns) now support DNS over HTTPS. + #### 22nd June 2019 Tidied up node information. diff --git a/pages/04.about/default.md b/pages/04.about/default.md index b35348f..750ea48 100755 --- a/pages/04.about/default.md +++ b/pages/04.about/default.md @@ -6,7 +6,7 @@ media_order: 'DN42 Map 181224.2.png' #burble.dn42 burble.dn42 is an experimental global network, part of [dn42](https://dn42.us/) -By active peer count, burble.dn42 is the 3rd largest IPv4 and 2nd largest IPv6 network in dn42. +By active peer count, burble.dn42 is currently the largest network in dn42. #####Background