DNS-over-HTTP (DoH)¶
Warning
- DoH support was added in version 4.0.0 and is subject to change.
- DoH implementation in Knot Resolver is intended for experimentation only as there is insufficient experience with the module and the DoH protocol in general.
- For the time being it is recommended to run DoH endpoint on a separate machine which is not handling normal DNS operations.
- More information about controversies around the DoH can be found in blog posts DNS Privacy at IETF 104 and More DOH by Geoff Huston.
- Knot Resolver developers do not endorse use of the DoH protocol.
Following section compares several options for running a DoH capable server. Make sure you read through this chapter before exposing the DoH service to users.
DoH support in Knot Resolver¶
The HTTP module in Knot Resolver also provides support for binary DNS-over-HTTP protocol standardized in RFC 8484.
This integrated DoH server has following properties:
Scenario: | HTTP module in Knot Resolver configured to provide |
---|---|
Advantages: |
|
Disadvantages: |
|
Example configuration is part of examples for generic
HTTP module. After configuring your endpoint you can reach the DoH endpoint using
URL https://your.resolver.hostname.example/doh
, done!
# query for www.knot-resolver.cz AAAA
$ curl -k https://your.resolver.hostname.example/doh?dns=l1sBAAABAAAAAAAAA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE
Please see section HTTPS (TLS for HTTP) for further details about TLS configuration.
Alternative configurations use HTTP proxies between clients and a Knot Resolver instance:
Normal HTTP proxy¶
Scenario: | A standard HTTP-compliant proxy is configured to proxy GET and POST requests to HTTP endpoint /doh to a machine running Knot Resolver. |
---|---|
Advantages: |
|
Disadvantages: |
|
HTTP proxy with DoH support¶
Scenario: | HTTP proxy extended with a special module for DNS-over-HTTP. The module transforms HTTP requests to standard DNS queries which are then processed by Knot Resolver. DNS replies from Knot Resolver are then transformed back to HTTP encoding by the proxy. |
---|---|
Advantages: |
|
Disadvantages: |
|
Client configuration¶
Most common client today is web browser Firefox. Relevant configuration is described e.g. in following
article.
To use your own DoH server just change network.trr.uri
configuration option
to match URL of your DoH endpoint.
More detailed description of configuration options in Firefox can be found in article Inside Firefox’s DOH engine by Daniel Stenberg.
Warning
Please note that Knot Resolver developers are not as enthusiastic about DoH technology as author of the article linked above, make sure you read warnings at beginning of this section.