Bug 1200 - Does unbound support DNS-over-HTTPS (DoH)?
Does unbound support DNS-over-HTTPS (DoH)?
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.0
x86_64 Windows
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-06 05:08 CET by lenovo_me
Modified: 2018-06-18 10:54 CEST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description lenovo_me 2017-01-06 05:08:38 CET
thanks
Comment 1 Wouter Wijngaards 2017-01-06 08:57:21 CET
Hi Lenovo_me,

No there is no support for this at the current time.  Unbound does support DNS over TLS, but that is without the HTTPS encoding.  Is there are reason you need it, a use case?

Best regards, Wouter
Comment 2 M Travis 2017-04-09 02:11:49 CEST
Here is the wiki page for Google's DNS service: https://www.everipedia.com/Google_Public_DNS/
Comment 3 nusenu 2018-06-17 20:51:24 CEST
In contrast to DoT, Firefox will ship DoH support. Would be nice to have this in unbound including DNSSEC over DoH (which is not supported by firefox yet).

https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
Comment 4 Wouter Wijngaards 2018-06-18 10:20:46 CEST
Hi,

Thanks for the links, and that is certainly moving DOH forwards with the nice Firefox implementation.

For Unbound, it could offer client and server side support.  For server side support of DOH, we (discussed here) and feel that nginx or apache module support could be best.  This can be deployed as a server on its own, or it can be deployed for a server that is already a webserver.  When the DNS requests over HTTP go to the server that is also the webserver the privacy guarantees are very good, because the information flows to the webserver that already has it.

For client support, getdns is currently working to implement DOH support (and https2 as well I believe) and that could be upcoming in a neartime release for getdns.

What was your interest, client or server?  And what sort of deployment, I mean set up, that seems a discussion point on DOH, and Firefox with a hardcoded destination (that works today, so its great), is one particular option, but asking the website is also very attractive.

Unbound could give an nginx or apache module DNS resolving capabilities with libunbound, which is nearly equally capable as the unbound DNS server (it doesn't have unbound-control statistics lookups).

Best regards, Wouter
Comment 5 nusenu 2018-06-18 10:54:18 CEST
Hi Wouter,

thanks for your quick reaction on this.

(In reply to Wouter Wijngaards from comment #4)
> What was your interest, client or server?  

I'm primarily interested in Unbound acting as a DoH server with DNSSEC support (DNSSEC records offered to the DoH client for validation), and to a lesser extend Unbound acting as a DoH client.

> And what sort of deployment, I
> mean set up, that seems a discussion point on DOH, and Firefox with a
> hardcoded destination (that works today, so its great), is one particular
> option, but asking the website is also very attractive.

A set up where a webserver offers DoH replies to a client (i.e. Firefox) that did not explicitly ask or configure that website as a TRR is outside the scope of the current DoH specification. On the last IETF DoH WG meeting (IETF101-DOH-20180322) DKG presented 
an idea of opportunistically providing DNS records to clients that did not ask for them, but there is no draft for that AFAIK.