unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

[FR] Provide DNS over QUIC (DoQ) forwarding in libunbound

Open rwfranks opened this issue 1 year ago • 7 comments

Perl Net::DNS is widely used for test scripts and can be integrated with libunbound to provide both upstream DoT and DNSSEC validation.

There is, or soon will be, a real need to extend this capability to DoQ test scripts.

I anticipate that usage would be similar to the following DoT example:

    use Net::DNS;
    use Net::DNS::Resolver::Unbound 1.29 -register;

    my $resolver = Net::DNS::Resolver->new(
        nameserver  => '1.1.1.1@853#cloudflare-dns.com',
        nameserver  => '8.8.8.8@853#dns.google',
        add_ta_file => '/var/lib/unbound/root.key',
        option      => [qw(tls-cert-bundle /etc/ssl/cert.pem)],
        set_tls     => 1,
        );

    my $response = $resolver->send( 'example.com.', 'AAAA' );

rwfranks avatar Aug 17 '24 14:08 rwfranks

There is a branch with doq functionality, but it is downstream only. In that branch, there is a testcode client, 'doqclient', that can perform client side doq lookups for unit tests. The upstream forward using doq is an good plan, but not there right now.

wcawijngaards avatar Aug 19 '24 07:08 wcawijngaards

An existing Net::DNS user expressed a wish to use DoQ for a global performance monitoring project. Integrating Net::DNS and libunbound seems the best route to achieve this. A favourable slot on your todo list would be much appreciated.

rwfranks avatar Aug 19 '24 10:08 rwfranks

I would like this feature too. Great thing is, client quic implementation is possible with openssl directly. https://docs.openssl.org/master/man7/openssl-quic/. Unlike usage with ngtcp2 where openssl is not yet supported. I admit using ngtcp2 library with at least client support part would be better than implementing separate support for openssl only. Especially as current API does not provide server side support.

pemensik avatar Oct 16 '24 13:10 pemensik

Please add this [FR] to (new) milestone 1.23.0 to provide visibility to interested parties.

Completion of #871 and recent release of 1.22.0 inevitably increases the demand for upstream DoQ.

rwfranks avatar Oct 19 '24 14:10 rwfranks

There is a branch with doq functionality, but it is downstream only. In that branch, there is a testcode client, 'doqclient', that can perform client side doq lookups for unit tests. The upstream forward using doq is an good plan, but not there right now.

what is the appropriate channel in which to request upstream forwarding using DoQ?

I know it can be done using say dnscrypt-proxy or ctrld and having unbound query that but a more tightly coupled native implementation i'd assume would be faster than handing the task over to something else effectively.

mrpops2ko avatar May 22 '25 06:05 mrpops2ko

This is an excellent place to request new features! The request has been noted, and is on the roadmap.

wcawijngaards avatar May 22 '25 07:05 wcawijngaards

+1 for upstream DoQ handling. In theory it should be on par or faster than TLS (hopefully)

ChaosYoda avatar Jun 01 '25 13:06 ChaosYoda