ameshkov
commented
3 years ago - DoQ should rely on QUIC for adding padding: https://datatracker.ietf.org/doc/html/draft-huitema-quic-dnsoquic-07#section-5.5
- In our implementation we simply rely on quic-go library and I honestly don't know if they use PADDING frames or not. Therefore, I'll keep this issue open, until I have some time to look into it.
- In order to check that on your own you would probably need to decrypt QUIC packets which is not an easy task. You'll need to decrypt QUIC packets and look for padding frames there. I am not sure if Wireshark supports inspecting QUIC, but if it does, you'll need to patch dnsproxy to export SSH keys and use it to decrypt QUIC in Wireshark. Alternatively, debug dnsproxy and see for yourself if quic-go sends padding frames or not.
peterthomassen
While looking at DoQ traffic captured between the proxy and the AdGuard server, I noticed that the packets are not padded to the same lengths. This is curious, because when I asked the Support team I got an answer saying that padding was implemented and activated by default. Do I, contrary to the statement, have to set a flag in the dnsproxy command or is there something else wrong/padding missing?
my starting command for dnsproxy is: ./dnsproxy -l 127.0.0.1 --quic-port=8853 --tls-crt=example.crt --tls-key=example.key -u quic://dns-unfiltered.adguard.com –output=./log.txt