cookiengineer
commented
3 years ago DNS over TLS has now been implemented and also correctly supports the TCP DNS wireformat (which, as per RFC has only two prefixed bytes that represent the potentially fragmented frame length).
But, as initially assumed, Vodafone as an ISP blocks the dedicated TLS port 853 globally (not IP-based blocking, but port-based blocking in their carrier-grade NAT). This was expected, so DNSviaHTTPS has to be implemented as an alternative DNS resolver protocol.
The DNSS Protocol needs to be implemented to support
DNS over TLSvia TCP. As the underlying architecture behind nodejs'net.Socket,dgram.Socketandtls.TLSSocketdiffer heavily in their API usage, DNSS probably will include some redundancies as the code from DNS.receive()/send()/upgrade() cannot be reused as DNS defaults to theUDPprotocol.Technically, as of RFC 7766 recursive DNS resolvers must have support for DNS via TCP.
Real-world analysis, however, has shown that all Web Browsers (old Opera, Chromium based Browsers, Firefox based Browsers, and Microsoft Edge) use only
UDPto request details about a domain. If there are multiple questions asked about a single domain, they are all split into separate queries with incrementing identifiers; which kind of defeats the purpose but anyways.The intent for the legacy (unencrypted) DNS protocol here is to emulate other Browser's behaviour in order to be not identifiable as a Stealth Browser. As of today not a single Browser supports DTLS sockets for their DNS requests.
However, due to very very buggy implementations leading to the DNS Connection refactor due to lack of support for DNS over HTTPS in a standardized, sane manner, the DNSS Connection won't use DTLS and instead go for DNS TLS via TCP connections; which all tested DNS over TLS servers seem to support.