blokada icon indicating copy to clipboard operation
blokada copied to clipboard

Published 20 hours ago verified publisher icon blokadaorg

Quad9 DoH

Open kazzarin opened this issue 4 years ago • 8 comments

App version: 5.8.0

When using the "Networks" feature to choose a DNS server, it appears Quad9 is only available through unsecured DNS:

https://github.com/blokadaorg/blokada/blob/8692f22c47e56836e300bccb3e231edcbf3d1a0c/android5/app/src/main/java/repository/DnsDataSource.kt#L140-L144

Even though the service does support DoH: https://www.quad9.net/service/service-addresses-and-features#doh

kazzarin avatar Feb 19 '21 09:02 kazzarin

Since this is not a PR for fixing a bug or security issue, here is the relevant changes to code

Dns(
            id = "quad9",
            ips = listOf("9.9.9.9", "149.112.112.112"),
            port = 443,
            name = "dns.quad9.net",
            path = "dns-query",
            label = "Quad9"

mchangrh avatar Feb 26 '21 17:02 mchangrh

Sadly it won't work. We currently can't add some of the DoH servers out there, because as it turns out, there are two versions of the DoH protocol (yay standards). We're currently only supporting the json based one, and there is also a binary one. So once the latter is implemented, we can add this and other DNS servers.

kar avatar Mar 04 '21 13:03 kar

Thanks for the explanation, hopefully there will be support for more DoH servers in the future.

kazzarin avatar Mar 04 '21 22:03 kazzarin

A very easy method to check if a DNS server uses JSON or binary format: run the below command and check what is returned. If an answer with the IP address in the body, that supports JSON. If nothing or an error message is returned, the DNS server uses binary method. curl '<DoH address>?name=blokada.org&type=a&do=1&ct=application/dns-json' For example: curl 'https://dns.blokada.org/dns-query?name=blokada.org&type=a&do=1&ct=application/dns-json'

peterroth avatar Mar 12 '21 09:03 peterroth

Sadly it won't work. We currently can't add some of the DoH servers out there, because as it turns out, there are two versions of the DoH protocol (yay standards). We're currently only supporting the json based one, and there is also a binary one. So once the latter is implemented, we can add this and other DNS servers.

Hi Kar,

You might be mistaken. There aren't two standards: The mime-type Blokada supports today, application/dns-json, isn't in the standard at all: https://tools.ietf.org/html/rfc8484

ignoramous avatar Mar 30 '21 10:03 ignoramous

@ignoramous The Blokada's DoH seems to support both GET and POST for binary request as of today, I tested with dnslookup, bulldohzer, and dohjs. Also please check my recent repos issues because I can't reply on the archived project

tina-hello avatar Jul 21 '21 20:07 tina-hello

Is there any progress on adding Quad9 DoH (and others too, like AdGuard DoH)?

ghost avatar Nov 12 '21 12:11 ghost

@Kruger984 I've sent some pull requests like #917, #918 to enable more encrypted DNS servers. Let's see if it'll be accepted.

PeterDaveHello avatar Jan 29 '22 14:01 PeterDaveHello