Shulou(Shulou.com)06/01 Report--

On April 1, 2016, Google officially enabled the DNS-Over-HTTPS domain name security query service.

Traditional DNS requests and responses are basically based on plaintext UDP (most of which use UDP) or TCP transmission, and are very easy to be hijacked, especially between end-user and local DNS (recursive resolver of I.E operator) resolution, which is much less secure than that from local DNS resolution to authoritative domain name services. Although there are many techniques that try to enhance the security between end users and local DNS parsing through authentication and encryption, none of them has been widely deployed.

The real solution to the hijacking problem of DNS depends on the full deployment of DNSSEC, but statistics show that less than 14% of global DNS traffic is protected by DNSSEC. In order to provide better security and privacy protection during this transition phase, Google launched the DNS Over HTTPS query service on April 1, 2016 (presumably deliberately chosen at this point in time) as a powerful supplement to DNSSEC, providing end-to-end verification of DNS requests.

Google's DNS Over HTTPS is easy to use, provides a query method based on HTTP GET requests, and returns results in JSON format, which can be easily integrated by various development tools (Python/PHP/JavaScript, etc.).

The service supports the following parameters:

Name

The only required string parameter is the domain name address you want to query. The length is 1-255. the characters are in [0-9aMuz Amurz.]. Non-ASCII characters are not supported.

Type

Optional string, default is 1. RR type can be expressed as a number between [1, 65535], or canonical string (A, AAAA, etc.). Currently supports: a, AAAA,CNAME, MX,ANY,PTR

Cd

Boolean, default is false. CD (Checking Disabled) field, which disables DNSSEC validation when set to true. Available formats: cd, cd=0, cd=1, cd=false, cd=true

Edns_client_subnet

Optional string. Default is empty. This is the edns0-client-subnet option. The format is IP/Mask. For example: 1.2.3.4Compact 24th.2001Rose 700Rd 300Rose Rod 48.

For reverse domain name resolution, take querying taobao.com as an example, reverse resolution can be queried: 110.75.115.70 or 70.115.75.110.in-addr.arpa

Google's Public DNS usually sends a rough anonymize network mask to the authoritative domain name server, so that the optimal server IP can be determined according to the customer's IP.

Google is very considerate. If you use DNS Over HTTPS for privacy reasons and do not want any of your network information to be sent to an authoritative domain name server, you can set edns_client_subnet=0.0.0.0/0. What a conscience service! )

DNS response format is JSON

A successful response

{"Status": 0, / / DNS status. Standard DNS response code "TC": false, / / Whether response is truncated "RD": true, / / Always true for Google Public DNS "RA": true, / / Always true to Google Public DNS "AD": false, / / Whether all data in response has been cryptographically verified "CD": false, / / Whether the client asked to disable DNSSEC "Question": [{"name": "taobao.com.", / / FQDN with training dot "type": 1 / / Standard DNS RR type}], "Answer": [{"name": "taobao.com.", / / Must match name in question "type": 1, / / Standard DNS RR type "TTL": 20, / / In seconds "data": "110.75.115.70" / / IP address in text} {"name": "taobao.com.", "type": 1, "TTL": 20, "data": "140.205.220.96"}], "Additional": [], "edns_client_subnet": "119.29.29.29max 0" / / IP address with network mask}

If the request fails, diagnostic information will be returned

{"Status": 2, "TC": false, "RD": true, "RA": true, "AD": false, "CD": false, "Question": [{"name": "dnssec-failed.org.", "type": 1}], "Additional": [], "edns_client_subnet": "119.29.29max 0", "Comment": "DNSSEC validation failure. Please check http://dnsviz.net/d/dnssec-failed.org/dnssec/."}

Although there is no truncation problem with HTTP, the response returned by the authoritative server may be truncated, so you need the TC field to mark it. In addition, because there is no size limit for HTTP messages, the EDNS implementation here is different from the normal EDNS implementation mechanism in that it is a parameter in the request and a field in the response.

The service is still in the Beta phase, and the parameters and returned JSON format may change, but the style of doing things in Google should provide a smooth upgrade method that is backward compatible.

If you want to try, please move to: https://dns.google.com. For students in the wall, please bring your own. In other words, it is difficult to access Google's DNS in the wall, and it is estimated that this service is not available in China.

Command line parsing method:

$curl 'https://dns.google.com/resolve?name=www.126.com'{"Status": 0, "TC": false, "RD": true, "RA": true, "AD": false, "CD": false, "Question": [{"name": "www.126.com.", "type": 1}], "Answer": [{"name": "www.126.com.", "type": 5, "TTL": 11215 "data": "mcache.mail.163.com."}, {"name": "mcache.mail.163.com.", "type": 5, "TTL": 16975, "data": "email.163.com.lxdns.com."}, {"name": "email.163.com.lxdns.com.", "type": 1, "TTL": 116, "data": "176.34.63.150"}]}

At present, this function is still in the beta stage.

Https://developers.google.com/speed/public-dns/docs/dns-over-https Google Developer description page

Some students will say that many domestic companies already have similar products:

Tencent has httpdns as a better tool for scheduling its own traffic. It is only used to resolve its own domain name. It is based on HTTP and is not provided to users as a public service.

Dnspod provides DNS Over HTTP, called D+. Simple function (based on HTTP, does not support EDNS) needless to say, you still have to charge for encryption! If the domestic dns.google.com visits, as soon as this DNS Over HTTPS comes out, dnspod's D+ will be shot to death immediately.

Google's DNS Over HTTPS is available for users free of charge:

Highly available query

Support for EDNS option

User privacy protection

Support for DNSSEC Validation

Support for common Record Types

It can be used as a debugging tool to return the cause of query failure.

Although the service is good, it also has one deficiency, that is, batch domain names are not supported. I hope they can support them in the future. However, to support batch domain name query, you need to support POST request method because of the length limit of URL.

Remarks

As mentioned earlier, less than 14% of global DNS requests are DNSSEC-enabled and are queried through the statistical website below.

Http://stats.labs.apnic.net

The site can query not only DNSSEC traffic, but also Google Public DNS traffic. Currently, Google Public DNS traffic accounts for 12% of the total global DNS queries!

There has been a way to implement DNS parsing encryption before, see my other article:

Http://professor.blog.51cto.com/996189/1601753 bind + DNSCrypt realizes secure encryption and forwarding to avoid DNS contamination.

.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.