Custom bootstrap DNS servers

[ignoramous]

Today, the DNS over HTTPS client resolves IPs for the DNS over HTTPS endpoint over OS / network supplied DNS resolvers which may or may not block resolution of the DNS over HTTPS endpoint.

To circumvent that, consider supplying custom DNS resolvers to the http.Client [0].

The environment can still block / rewrite all requests on port 53... so that still remains unmitigated.

[0] nextdns/run.go#L427.

[ignoramous]

Whoops. Intra does support this but we don't use it. Miss!

https://github.com/celzero/brave-android-app/blob/97344853fa275eeec3438e63ac837260eeda9754/app/src/main/java/com/celzero/bravedns/net/go/GoVpnAdapter.java#L205

[ignoramous]

I mean, what intra does is better.

Having bootstrap servers might still help but not as much since, at the end of the day, it relies on plain old DNS without encryption.

[ignoramous]

https://github.com/Jigsaw-Code/Intra/issues/256

[ignoramous]

BraveDNS resolver IPs:

104.26.6.92
172.67.70.173
104.26.7.92

[ignoramous]

Adguard's dnsproxy supports a variety of bootstraps and the impl pretty straight forward too: dnsproxy/upstream/upstream.go#L86.

[ilikenwf]

And for those of us who use a VPN with internal hostnames, it would be nice if we could fallback to the custom bootstrap so that we can resolve our internal lan hostnames, unless it would be easier to let us add our own extra encrypted resolvers.

[ignoramous]

@ilikenwf

we can resolve our internal lan hostnames, unless it would be easier to let us add our own extra encrypted resolvers.

You mean, split-horizon DNS (for ex, .lan, .local, .internal etc) must be resolved by OS/Network provided DNS? If so, that's a combination of #368 and #355 ?

[ilikenwf]

I don't...remember, sorry, but that sounds right.

I'm using GrapheneOS, and with the power of Wireguard split tunneling, it seems that "auto" mode at the OS level is working well enough.

[ignoramous]

We've decided to limit bootstrap servers to Rethink (DoH), Cloudflare (DoH), Google (DoH), and System DNS (plain old DNS): #211

https://github.com/celzero/firestack/commit/2430028453ff2f38a11eab476314c4f19f6e8920 and https://github.com/celzero/rethink-app/commit/2adbb5d8b8bc1b7853b7768bda8ba5445be0662b

[mvevitsis]

We've decided to limit bootstrap servers to Rethink (DoH), Cloudflare (DoH), Google (DoH), and System DNS (plain old DNS): #211

https://github.com/celzero/firestack/commit/2430028453ff2f38a11eab476314c4f19f6e8920 and https://github.com/celzero/rethink-app/commit/2adbb5d8b8bc1b7853b7768bda8ba5445be0662b

Why?

I don't want any of these, I want tcp 443 directly to my DoH server like with dnscrypt-proxy.

Or are you saying that the DoH setting can take an IP instead of a URL?

But even in that case I would want to set the bootstrap to the loopback address or null to ensure it never uses the system DNS.

[ignoramous]

I don't want any of these, I want tcp 443 directly to my DoH server like with dnscrypt-proxy.

Bootstrap servers are needed to connect to DoH upstreams and so they cannot be DoH upstreams themselves.

But even in that case I would want to set the bootstrap to the loopback address or null to ensure it never uses the system DNS.

Loopback address would send the DNS query back into Rethink, so that's useless as a bootstrapper.

Null routing will result in complete connectivity loss (in case DoH / DoT / ODoH are in-use) as Rethink would not be able to resolve and connect to any of those (DoH / DoT / ODoH) upstreams.

System DNS is the default bootstrapper (and it should be left as-is), but this can be changed to either Rehink or Google or Cloudflare.

[mvevitsis]

In dnscrypt-proxy you can add the IP address of your DoH server to the stamp and it will connect directly to the DoH server without any bootstrap.

I have done this and set the fallback (bootstrap) DNS to null.

I would like to do the same in rethink, however entering e.g. https://1.2.3.4 as the DoH server doesn't work, and there is no option to set the fallback manually (either to my DoH server's address, or to the loopback/nothing if the DoH setting page could accept an IP directly)

[ignoramous]

nothing if the DoH setting page could accept an IP directly)

Please track

• 232

• 1223