dns-resolver-infra
dns-resolver-infra copied to clipboard
publicarray
[Vultr] DNS-over-HTTPS issue
@publicarray see provided vultr server DOH details https://dns.seby.io/
- It has the DNScrypt stamp and other IP address
- Also complicated about the port
- Unable to resolve
doh.seby.io
No such problem with OVH server.
[OVH server]
It has doh-2.seby.io for DOH but you use dot.seby.io for DOT then i dont understand why you don't keep same seperation for DOT protocol.
Hi @valaria247 Sorry about the confusion. It's because I first started with one server (Vultr) and doh was not developed or conceptualised yet. So for legacy reasons port 443 was not used for DOH on that server but It was used for DNSCrypt instead. So the hostname needs to be different for the 2 servers otherwise you get an error for using the wrong protocol. For DOT it did not matter since the protocol uses it's own dedicated port number 853. So dot.seby.io resolves to both servers:
;; ANSWER SECTION:
dot.seby.io. 4502 IN A 139.99.222.72
dot.seby.io. 4502 IN A 45.76.113.31
Why keep them separate? Hm I like that using DNS this way provides an automatic fallback and makes certificate management easier. I rather have both servers share the same configuration and use the same domains. (but I would have to somehow migrate users, and that would course unnecessary downtime and surprised users because their configuration suddenly fails)
$ kdig @dot.seby.io -p853 +tls-ca example.com
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3271
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1472 B; ext-rcode: NOERROR
;; Option (11): 0000
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 80226 IN A 93.184.216.34
;; Received 62 B
;; Time 2020-07-17 19:39:27 AEST
;; From 45.76.113.31@853(TCP) in 147.6 ms
if 45.76.113.31 fails the query could still be answered by the other server (See the From section). The OS can choose a server at random.
❯ curl 'https://doh.seby.io:8443/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 75 100 75 0 0 215 0 --:--:-- --:--:-- --:--:-- 216
00000000 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 |.............www|
00000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 |.example.com....|
00000020 01 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f |..www.example.co|
00000030 6d 00 00 01 00 01 00 00 48 d3 00 04 5d b8 d8 22 |m.......H...].."|
00000040 00 00 29 05 c0 00 00 00 00 00 00 |..)........|
0000004b
~
❯ curl 'https://doh-2.seby.io:443/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 75 100 75 0 0 194 0 --:--:-- --:--:-- --:--:-- 193
00000000 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 |.............www|
00000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 |.example.com....|
00000020 01 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f |..www.example.co|
00000030 6d 00 00 01 00 01 00 00 f9 5d 00 04 5d b8 d8 22 |m........]..].."|
00000040 00 00 29 05 c0 00 00 00 00 00 00 |..)........|
0000004b
I hope that explains why the things are they way they are and why I haven't been keen on changing it. If you have any ideas on how to improve this or migrate users by swapping the 2 port numbers, please let me know.
However it's good to let users to use default 443 for DOH and set-up it soon. basically people get right benefit from your service availability only if you keep two or more servers behind.
Consider provide ad-blocking and protection from tracking, malcious domains as enhacement to your DNS service. You can use various block lists to adjust the severity (Maybe you don't interest this. in this cause, people can use Pi-Hole, AGH with seby as solution) also adult content filtering is an important part for a DNS service nowdays.
True, If I change it then people will complain that their current setup no longer works, so I won't be changing the ports. I would need to find a way run both protocols on the same ports somehow (SO_REUSEPORT?).
I have considered it before but came to the conclusion that I would still want vanilla DNS, and that it would take more of my time to maintain. Like you say there are alternative (better) ways to block those things and people can maintain their personal preferences of what they want to block or allow. dnscrypt-proxy is another example (It even can allow or deny access based on the time of day).
people will complain that their current setup no longer works, so I won't be changing the ports. I would need to find a way run both protocols on the same ports somehow (SO_REUSEPORT?).
I dont quite understand the problem. You can configure server to listen on multiple ports.
Currently you use many names doh.seby.io doh-2.seby.io dot.seby.io and leave them to remain as it.
Set-up a new common and memorable name eg: dns.seby.io then no worries from existing users. later, drop support for old names.
https://dns.seby.io/dns-query
tls://dns.seby.io
ok the Vultr server uses port 443 for DNSCrypt and 8443 for DOH
and OVH uses port 443 for DOH and 8443 for DNSCrypt
Now if both share the same domain name for DOH... there is a chance the wrong server/port combination is used because the IP address used is random.
There is a chance the below command works or doesn't depending on the ip address returned from looking up dot.seby.io and port specified.
$ curl 'https://dot.seby.io:8443/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 75 100 75 0 0 232 0 --:--:-- --:--:-- --:--:-- 232
00000000 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 |.............www|
00000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 |.example.com....|
00000020 01 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f |..www.example.co|
00000030 6d 00 00 01 00 01 00 00 83 8d 00 04 5d b8 d8 22 |m...........].."|
00000040 00 00 29 05 c0 00 00 00 00 00 00 |..)........|
0000004b
Anyway I like the idea and will try to find some time to work on it. It's just a little more complicated than what it seems. There are 3 encrypted DNS protocols that I support. And the web server is on different VPS as well. The problem is not the domain name It's the physical servers and how they where setup.
@jedisct1 would you mind taking a look here? I'm bad at explaining things.
Maybe I can run just the OVH server on a new domain e.g dns.seby.io and once traffic on the Vultr server is low enough I can switch the ports.
The certificates are wildcards *.seby.io already.
using the same ports now as dnscrypt hasn't worked properly and has been shutdown