Page MenuHomeVyOS Platform

Support for encrypted DNS: dnscrypt, DoH, DoT, anonymized DNS
Open, WishlistPublic

Description

Encrypted DNS protocols are gaining more popularity as tools to increase privacy. Most clients don't support them yet, while some do (f.e. Firefox), thus a way to listen for unencrypted DNS requests and forward them as encrypted is very welcome.

I evaluated two options:

  • dnscrypt-proxy

    The features list is too long to include, its main advantages are support of: Tor, SOCKS proxies, anonymized DNS relays, filtering lists, load balancing with various strategies (including round-robin to further increase privacy), automated background update of resolver lists, built-in DoH server,...

    It can act as a:
    • standard DNS, DoH server
    • caching forwarder
    • load balancer
    • DoH, DoT, dnscrypt client
  • dnsdist

    It can act as a:
    • standard DNS, DoH, DoT, dnscrypt server
    • load balancer
    • (in combination with pdns-resolver: standard DNS caching forwarder or resolver)

      It can act as a encrypted DNS server, but not client, so itself alone is not suitable to use. It's also not a full caching resolver, but just a load balancer with some optional basic packet caching. Its companion, PowerDNS resolver is currently used in VyOS as the "service dns forwarding" server, but it doesn't support encrypted upstream connections.

My choice would be to initially include dnscrypt-proxy, then maybe later dnsdist to add DoT/dnscrypt server support. The config syntax would need to be evaluated, if there are no conflicts with existing service dns forwarder, include it there, otherwise add a "service dns dnscrypt-proxy" node.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Event Timeline

jjakob triaged this task as Wishlist priority.Apr 1 2020, 2:21 PM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.
jjakob updated the task description. (Show Details)

I used dnsdist and dnscrypt-proxy before but currently I settled with:

  • cloudfared
  • coredns

Hope coredns can add back native support for dns-over-https so i can drop cloudflared.

As for encrypted DNS, it should cover standard solutions rather than be limited to a certain service provider. The standard solutions are as follows (although in general, there may not be many people using encrypted recursive DNS)

  1. DNS Over TLS(DOT)
  2. DNS Over HTTPS(DOH)