Feature request DNS DoH measurement
Hi, As DoH is getting more adoption, it would be interesting to have DoH query support on Atlas. With support added as an additional protocol for DNS measurement (currently TCP/UDP), most measurement creation/result parsing settings can be reused. Yang
On 2020/05/20 22:00 , Yang Yu wrote:
As DoH is getting more adoption, it would be interesting to have DoH query support on Atlas. With support added as an additional protocol for DNS measurement (currently TCP/UDP), most measurement creation/result parsing settings can be reused.
From a technical point of view it is not that simple. RFC 8484 recommends at least HTTP/2. Currently there is no support for HTTP/2 in the Atlas measurement code.
The bigger problem however is that there is a policy for RIPE Atlas to not allow http requests to arbitrary destinations. The reasoning is that connecting to certain webservers from certain countries could bring trouble to the probe hosts. Of course policies are not set in stone. However, nobody has come up with a better policy proposal. Note that Atlas does support DNS over TLS.
Hi, Would it be possible for your servers to first verify whether a DOH address is really a DNS before running actual atlas tests? If you can do it from an IP address that also hosts a web page that explains the purpose of the test, anyone investigating traffic coming to them is easily informed. Thanks, Dave Op vr 22 mei 2020 om 10:29 schreef Philip Homburg <philip.homburg@ripe.net>:
On 2020/05/20 22:00 , Yang Yu wrote:
As DoH is getting more adoption, it would be interesting to have DoH query support on Atlas. With support added as an additional protocol for DNS measurement (currently TCP/UDP), most measurement creation/result parsing settings can be reused.
From a technical point of view it is not that simple. RFC 8484 recommends at least HTTP/2. Currently there is no support for HTTP/2 in the Atlas measurement code.
The bigger problem however is that there is a policy for RIPE Atlas to not allow http requests to arbitrary destinations. The reasoning is that connecting to certain webservers from certain countries could bring trouble to the probe hosts.
Of course policies are not set in stone. However, nobody has come up with a better policy proposal.
Note that Atlas does support DNS over TLS.
On 2020/05/23 8:35 , Dave . wrote:
Would it be possible for your servers to first verify whether a DOH address is really a DNS before running actual atlas tests? If you can do it from an IP address that also hosts a web page that explains the purpose of the test, anyone investigating traffic coming to them is easily informed.
Some people want to use DoH from within a browser. If that gets popular, it could be that many webservers would also have DoH endpoints. In any case, for now that might be a sensible solution. Some time ago it was proposed that the MAT working group would handle policy proposals for Atlas. So, whoever wants to make the effort to push the policy proposal through, please contact the chairs of the MAT wg on how they would like to handle this. Philip
participants (3)
-
Dave . -
Philip Homburg -
Yang Yu