Custom bootstrap DNS servers

[ignoramous]

Today, the DNS over HTTPS client resolves IPs for the DNS over HTTPS endpoint over OS / network supplied DNS resolvers which may or may not block resolution of the DNS over HTTPS endpoint.

To circumvent that, consider supplying custom DNS resolvers to the http.Client [0].

The environment can still block / rewrite all requests on port 53... so that still remains unmitigated.

[0] nextdns/run.go#L427.

[ignoramous]

Whoops. Intra does support this but we don't use it. Miss!

https://github.com/celzero/brave-android-app/blob/97344853fa275eeec3438e63ac837260eeda9754/app/src/main/java/com/celzero/bravedns/net/go/GoVpnAdapter.java#L205

[ignoramous]

I mean, what intra does is better.

Having bootstrap servers might still help but not as much since, at the end of the day, it relies on plain old DNS without encryption.

[ignoramous]

https://github.com/Jigsaw-Code/Intra/issues/256

[ignoramous]

BraveDNS resolver IPs:

104.26.6.92
172.67.70.173
104.26.7.92

[ignoramous]

Adguard's dnsproxy supports a variety of bootstraps and the impl pretty straight forward too: dnsproxy/upstream/upstream.go#L86.

[ilikenwf]

And for those of us who use a VPN with internal hostnames, it would be nice if we could fallback to the custom bootstrap so that we can resolve our internal lan hostnames, unless it would be easier to let us add our own extra encrypted resolvers.

[ignoramous]

@ilikenwf

we can resolve our internal lan hostnames, unless it would be easier to let us add our own extra encrypted resolvers.

You mean, split-horizon DNS (for ex, .lan, .local, .internal etc) must be resolved by OS/Network provided DNS? If so, that's a combination of #368 and #355 ?

[ilikenwf]

I don't...remember, sorry, but that sounds right.

I'm using GrapheneOS, and with the power of Wireguard split tunneling, it seems that "auto" mode at the OS level is working well enough.