[Dnsmasq-discuss] Feature Request: DNS over TLS or HTTPS

Simon Kelley simon at thekelleys.org.uk
Mon Mar 6 15:49:20 UTC 2023 

If you were to implement this in dnsmasq, by far the best way would be 
to put proxy in front of dnsmasq.

The existing dnsmasq concurrency model just doesn't support the 
implementation. If relies on most queries happening over UDP, and the 
context for such queries being very minimal. Anything that happens over 
TCP (like TLS or HTTPs) is the opposite extreme, with a new dnsmasq 
process being spawned for each request. That's not scalable when you're 
going to run everything upstream over TCP.

Given that the preferred architecture is a proxy in front of dnsmasq, 
the next question is, do we have to implement that, or does it already 
exist?  A quick Google reveals several potential candidates and the one 
that I've most heard people are using is dnscrypt-proxy.

I have no personal experience with dnscrypt-proxy  or any of the other 
options, but before thinking about writing  another one, I'd like to be 
sure that none of the existing options are suitable, and that I couldn't 
persuade someone else to do the work rather than making it part of the 
dnsmasq effort.


Simon.



On 27/02/2023 18:06, Curzon Dax via Dnsmasq-discuss wrote:
> Greetings,
> 
> I checked through the last 1-2 years of the mailing list, and I hadn't 
> seen anything regarding DoT/DoH. If this has come up before and I missed 
> it, apologies in advance.
> 
> Thought I'd add a feature request for DNS over TLS or DNS over HTTPS 
> when dnsmasq is used as a DNS forwarder.
> 
> BIND is about to implement this in the next version, and I believe 
> Windows DNS is the last to the party among the other major DNS 
> recursors/forwarders.
> 
> I realize that this could add considerable size, scope, and complexity 
> to something which is inherently light weight and used on a lot of 
> embedded devices with very minimal storage. Perhaps something optional 
> at build time to avoid bundling large libraries/dependencies. embed-TLS 
> could be something to look at to ensure this feature could be built on 
> very-low-storage, embedded devices.
> 
> I know that many embedded devices (modems/routers) have some form of an 
> SSL library already, as many offer admin control over https://.
> 
> If there is interest by the developers/maintainers, perhaps we could 
> make a call for financial support from the major recursive providers 
> (Google, Quad9, Cloudflare, etc). I know a few of the DNS folks at these 
> organizations, and while I'm not making any promises or claims, it's 
> something I'd be happy to reach out to them about.
> 
> Thanks in advance.
> -Curzon
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list