[dnsdist] Announcing: DNS over HTTPS on doh.powerdns.org

Sat Aug 25 10:05:36 UTC 2018

Dear PowerDNS people,

[tl;dr, if you want to do DNS over HTTPs, you can configure
https://doh.powerdns.org/ in Firefox Nightly [1].  This is built on the
dnsdist DoH branch [2].  If you are a service provider, we need to hear from
you: what features do you need from us before you'll consider enabling DNS
over TLS and DNS over HTTPs for you users]

Over the past few months there has been a lot of discussion on various
mailing lists and conferences on 'DNS over HTTPS'. As you know, DNS is
currently almost always unencrypted, and in this way is a privacy problem if
someone can sniff your traffic.

Over at PowerDNS (and Open-Xchange, of which we are a part), privacy is
super important. Encrypt all the things. We were therefore early with
implementing DNS over TLS in dnsdist. 

(DNS over TLS happens on port 853, and if you run a nameserver, you'll see
more and more Android Pie phones attempt to get their DNS over that port. 
If you offer that, it will work, and you'll help improve the privacy and
integrity of the internet.)

Recently, Mozilla (who make Firefox) decided to take things one step
further.  They have opined that service providers can't be trusted and that
they would like to make Firefox, by default, move DNS to a 'Trusted
Recursive Resolver', hosted in this case by Cloudflare.  Details here:
https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

If they do that, it means Firefox users will no longer use your DNS, they
will use Cloudflare's DNS. By default. The technology used for this is
called DNS over HTTPS and it operates on port 443. It has also been designed
to be almost impossible to block. 

Over at PowerDNS & Open-Xchange, we believe in an open and decentralized
internet. We're also worried about governments that love to spy on the rest
of the world.  We therefore do not think it is a good idea to move DNS
traffic to big single companies in countries potentialy far away.

However, we also think that when Mozilla says that DNS is unencrypted, they
do have a point. 

Service providers should be offering encrypted DNS.  Because of this, we are
working hard to make dnsdist be "the DNS-over-TLS and DNS-over-HTTPS"
solution service providers need to turn on these protocols without worry.

If service providers themselves offer encrypted DNS that is one argument
less for centralising recursion on one CDN.

To do so, we are already working with some large scale DNS operators to get
them to deploy DoT and DoH, and this has already led to some specific
features. For example, renewing certificates for DoT can now happen without
downtime. We also think we should be fully automating that renewal through
Letsencrypt and send out SNMP traps/alerts should this fail.

To learn more, we are also offering our own experimental DoH service through
https://doh.powerdns.org, which you can enable in Firefox or one of the many
DoH proxies.

[1] https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

But we bet there are more things holding service providers back from
offering over HTTPS. So our question to you is: what is holding you back
form offering DNS over TLS and DNS over HTTPS? Is there anything we can do?
Are there missing features, are you worried about load-balancing or
performance, anything. 

Please let us know.

If you want to try dnsdist DoH support yourself, head to:

[2] https://github.com/ahupowerdns/pdns/tree/dnsdist-doh

The configuration statement is:
addDOHLocal("136.144.215.158:443", "/etc/letsencrypt/live/doh.powerdns.org/fullchain.pem", "/etc/letsencrypt/live/doh.powerdns.org/privkey.pem")

Good luck!