search

s-s / dnscloak

iOS GUI and wrapper for dnscrypt-proxy 2
Mozilla Public License 2.0
321 stars 38 forks source link

DoH with authentication for private resolvers #22

Open Homas opened 4 years ago

Homas commented 4 years ago

It would be nice to implement authentication (http basic or on DNS level e.g. TSIG or via extra EDNS options) for DoH so it will be possible to use the app with private resolvers. E.g. I'm running my own resolver on AWS and use it via a specific URL but it is not really secure.

jedisct1 commented 4 years ago

dnscrypt-proxy has a query_meta parameter that allows adding arbitrary TXT records to queries. These records will always be encrypted like other records.

The development code of dnscrypt-proxy also supports TLS authentication.

Identification via extra EDNS options is subject to patents issues.

Actually, a custom URL isn't that bad. It is strictly equivalent to HTTP Basic authentication.

Homas commented 4 years ago

Thanks for pointing on "query_meta". "TLS authentication" do you mean certificate based? It may be "heavy" if you need to serve multiple clients. Custom URL is unsecure w/o TLS 1.3 and SNI encryption. FQDN can leak various ways (e.g. via passive DNS), URL with custom user ID (if is not encrypted) may be intercepted on the line.

dParadiz commented 4 years ago

Identification via extra EDNS options is subject to patents issues.

Can you elaborate this. Who's has patents on this?

jedisct1 commented 4 years ago

https://patents.google.com/patent/US9661108

Homas commented 4 years ago

Weird. EDNS was proposed to address such use cases....

From rfc2671

The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow clients to advertise their capabilities to servers. This document describes backward compatible mechanisms for allowing the protocol to grow.

jedisct1 commented 4 years ago

Anything can be proposed.

Also, what you quoted refers to advertising what parts of the protocol the client implements. It is not about sending configuration data.

pysiak commented 3 years ago

I can't find query_meta in the UI of 2.2.0 on iOS. Is it meant to be used via the config editor only?

Homas commented 3 years ago

BTW Intra (on Android) supports basic HTTP authentication. Can you add support for it (I've tried it in the recent DNSCloak release and it didn't work)?