Open keystrike opened 5 years ago
hellais
commented
5 years ago This is a good point.
Is there a way for us to detect that DNS over TLS is configured on the users machine? How does it actually work, does it setup a local recursive resolver? Is there some way we can measure that DNS queries are going over TLS (maybe via some special query)?
keystrike
commented
5 years ago Android API has linkProperties.isPrivateDnsActive(): https://developer.android.com/reference/android/net/LinkProperties.html#isPrivateDnsActive()
They have that in there because, "apps that perform their own DNS queries, instead of using the system's APIs, must ensure that they do not send insecure DNS queries when the system has a secure connection."
I think a priority should be to note that dns was over TLS in the logs as it will change behavior and skew results.
bassosimone
commented
5 years ago @keystrike is it correct to say that getaddrinfo() will implicitly use DNS over TLS?
keystrike
commented
5 years ago From https://developers.google.com/speed/public-dns/docs/dns-over-tls :
"A client system can use DNS-over-TLS with one of two profiles: strict or opportunistic privacy. With the strict privacy profile, the user configures a DNS server name (the authentication domain name in RFC 8310) for DNS-over-TLS service and the client must be able to create a secure TLS connection on port 853 to the DNS server. Failure to establish a secure connection is a hard error and will result in no DNS service for the client."
Android Pie supports DNS over TLS. I notice some change in filter behavior when using it. Should ooniprobe be aware if a user is configured to use DNS over TLS so that it can log results correctly?