Discussion:
[Dnsmasq-discuss] Implementation of DOH in dnsmasq
Mateusz Jończyk
2018-06-14 19:38:42 UTC
Permalink
// I am writing to dnsmasq developers to ask them about viability of
// implementing HTTP/2 in dnsmasq.

Hello,

As You may know, IETF is developing a new standard called DOH - DNS over HTTPS.
It will allow tunelling DNS requests over HTTPS.

Current version of the standard can be found on
https://github.com/dohwg/draft-ietf-doh-dns-over-https/blob/master/draft-ietf-doh-dns-over-https-latest.mkd

This standard is currently being finished.

Current version of this standard recommends use of HTTP/2.0 as the data
transport, but allows use of earlier versions of HTTP. It does not, however,
require clients to support servers that talk HTTP/1.0 or HTTP/1.1 only.

How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
example in constrained environments like home routers?

Please send any replies to the DoH mailing list at <***@ietf.org>.


Greetings,
Mateusz Jończyk
Kurt H Maier
2018-06-14 20:32:24 UTC
Permalink
Post by Mateusz Jończyk
How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
example in constrained environments like home routers?
This should be handled with a wrapper program. HTTP/2.0 is an enormous
and ill-defined specification and it would not be appropriate to bolt it
directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq
on the backend to provide this service. Home routers are not
particularly constrained in this regard, since they generally have web
services running to begin with.
Why?

khm
Nicolas Cavallari
2018-06-20 08:11:53 UTC
Permalink
Post by Kurt H Maier
Post by Mateusz Jończyk
How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
example in constrained environments like home routers?
This should be handled with a wrapper program. HTTP/2.0 is an enormous
and ill-defined specification and it would not be appropriate to bolt it
directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq
on the backend to provide this service. Home routers are not
particularly constrained in this regard, since they generally have web
services running to begin with.
It's much more than that. To be secure, TLS requires time, entropy and a CA
list. Many home routers fails at having all three, or require the DNS to get
time and CAs...
Post by Kurt H Maier
Why?
Because by doing so you will be subjected to the various IETF policies that
applies to anyone participating on the IETF mailing list, which includes
copyright grants, patents disclosure and other things that should be read by a
lawyer.
Geert Stappers
2018-06-20 08:57:56 UTC
Permalink
Post by Nicolas Cavallari
Post by Kurt H Maier
Post by Mateusz Jończyk
How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
example in constrained environments like home routers?
This should be handled with a wrapper program. HTTP/2.0 is an enormous
and ill-defined specification and it would not be appropriate to bolt it
directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq
on the backend to provide this service. Home routers are not
particularly constrained in this regard, since they generally have web
services running to begin with.
It's much more than that. To be secure, TLS requires time, entropy and a CA
list. Many home routers fails at having all three, or require the DNS to get
time and CAs...
Post by Kurt H Maier
Why?
Because by doing so you will be subjected to the various IETF policies that
applies to anyone participating on the IETF mailing list, which includes
copyright grants, patents disclosure and other things that should be read by a
lawyer.
No new text, just doing the
} Please send any replies to the DoH mailing list at <***@ietf.org>.


Groeten
Geert Stappers
Subscriber of mailinglist dnsmasq-***@lists.thekelleys.org.uk
--
Leven en laten leven
Mateusz Jończyk
2018-06-29 15:33:30 UTC
Permalink
Post by Nicolas Cavallari
Post by Kurt H Maier
Post by Mateusz Jończyk
How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
example in constrained environments like home routers?
This should be handled with a wrapper program. HTTP/2.0 is an enormous
and ill-defined specification and it would not be appropriate to bolt it
directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq
on the backend to provide this service. Home routers are not
particularly constrained in this regard, since they generally have web
services running to begin with.
It's much more than that. To be secure, TLS requires time, entropy and a CA
list. Many home routers fails at having all three, or require the DNS to get
time and CAs...
DOH server certificate could be provided together with the DOH server IP.

Thank You. So, as has been said above, implementing HTTP/2.0 may be more
difficult then implementing HTTP/1.1.

I would therefore propose to add the following text to the DOH draft (at the end
of section "HTTP/2"):

However, older versions of the HTTP standard are simpler to implement,
and have enough capabilities for limited capability servers on embedded
devices so DOH clients SHOULD be able to use DOH servers that support
only older version(s) of the HTTP standard, such as HTTP/1.0 {{RFC1945}}
and HTTP/1.1 {{RFC7230 - RFC7235}}.
Post by Nicolas Cavallari
Post by Kurt H Maier
Why?
I asked this just for the sake of convenience.

Greetings,
Mateusz Jończyk

Loading...