Bugzilla – Bug 1200
Does unbound support DNS-over-HTTPS (DoH)?
Last modified: 2018-06-18 10:54:18 CEST
No there is no support for this at the current time. Unbound does support DNS over TLS, but that is without the HTTPS encoding. Is there are reason you need it, a use case?
Best regards, Wouter
Here is the wiki page for Google's DNS service: https://www.everipedia.com/Google_Public_DNS/
In contrast to DoT, Firefox will ship DoH support. Would be nice to have this in unbound including DNSSEC over DoH (which is not supported by firefox yet).
Thanks for the links, and that is certainly moving DOH forwards with the nice Firefox implementation.
For Unbound, it could offer client and server side support. For server side support of DOH, we (discussed here) and feel that nginx or apache module support could be best. This can be deployed as a server on its own, or it can be deployed for a server that is already a webserver. When the DNS requests over HTTP go to the server that is also the webserver the privacy guarantees are very good, because the information flows to the webserver that already has it.
For client support, getdns is currently working to implement DOH support (and https2 as well I believe) and that could be upcoming in a neartime release for getdns.
What was your interest, client or server? And what sort of deployment, I mean set up, that seems a discussion point on DOH, and Firefox with a hardcoded destination (that works today, so its great), is one particular option, but asking the website is also very attractive.
Unbound could give an nginx or apache module DNS resolving capabilities with libunbound, which is nearly equally capable as the unbound DNS server (it doesn't have unbound-control statistics lookups).
Best regards, Wouter
thanks for your quick reaction on this.
(In reply to Wouter Wijngaards from comment #4)
> What was your interest, client or server?
I'm primarily interested in Unbound acting as a DoH server with DNSSEC support (DNSSEC records offered to the DoH client for validation), and to a lesser extend Unbound acting as a DoH client.
> And what sort of deployment, I
> mean set up, that seems a discussion point on DOH, and Firefox with a
> hardcoded destination (that works today, so its great), is one particular
> option, but asking the website is also very attractive.
A set up where a webserver offers DoH replies to a client (i.e. Firefox) that did not explicitly ask or configure that website as a TRR is outside the scope of the current DoH specification. On the last IETF DoH WG meeting (IETF101-DOH-20180322) DKG presented
an idea of opportunistically providing DNS records to clients that did not ask for them, but there is no draft for that AFAIK.