[dnsdist] Announcing: DNS over HTTPS on doh.powerdns.org

Dear PowerDNS people, [tl;dr, if you want to do DNS over HTTPs, you can configure https://doh.powerdns.org/ in Firefox Nightly [1]. This is built on the dnsdist DoH branch [2]. If you are a service provider, we need to hear from you: what features do you need from us before you'll consider enabling DNS over TLS and DNS over HTTPs for you users] Over the past few months there has been a lot of discussion on various mailing lists and conferences on 'DNS over HTTPS'. As you know, DNS is currently almost always unencrypted, and in this way is a privacy problem if someone can sniff your traffic. Over at PowerDNS (and Open-Xchange, of which we are a part), privacy is super important. Encrypt all the things. We were therefore early with implementing DNS over TLS in dnsdist. (DNS over TLS happens on port 853, and if you run a nameserver, you'll see more and more Android Pie phones attempt to get their DNS over that port. If you offer that, it will work, and you'll help improve the privacy and integrity of the internet.) Recently, Mozilla (who make Firefox) decided to take things one step further. They have opined that service providers can't be trusted and that they would like to make Firefox, by default, move DNS to a 'Trusted Recursive Resolver', hosted in this case by Cloudflare. Details here: https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/ If they do that, it means Firefox users will no longer use your DNS, they will use Cloudflare's DNS. By default. The technology used for this is called DNS over HTTPS and it operates on port 443. It has also been designed to be almost impossible to block. Over at PowerDNS & Open-Xchange, we believe in an open and decentralized internet. We're also worried about governments that love to spy on the rest of the world. We therefore do not think it is a good idea to move DNS traffic to big single companies in countries potentialy far away. However, we also think that when Mozilla says that DNS is unencrypted, they do have a point. Service providers should be offering encrypted DNS. Because of this, we are working hard to make dnsdist be "the DNS-over-TLS and DNS-over-HTTPS" solution service providers need to turn on these protocols without worry. If service providers themselves offer encrypted DNS that is one argument less for centralising recursion on one CDN. To do so, we are already working with some large scale DNS operators to get them to deploy DoT and DoH, and this has already led to some specific features. For example, renewing certificates for DoT can now happen without downtime. We also think we should be fully automating that renewal through Letsencrypt and send out SNMP traps/alerts should this fail. To learn more, we are also offering our own experimental DoH service through https://doh.powerdns.org, which you can enable in Firefox or one of the many DoH proxies. [1] https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ But we bet there are more things holding service providers back from offering over HTTPS. So our question to you is: what is holding you back form offering DNS over TLS and DNS over HTTPS? Is there anything we can do? Are there missing features, are you worried about load-balancing or performance, anything. Please let us know. If you want to try dnsdist DoH support yourself, head to: [2] https://github.com/ahupowerdns/pdns/tree/dnsdist-doh The configuration statement is: addDOHLocal("136.144.215.158:443", "/etc/letsencrypt/live/doh.powerdns.org/fullchain.pem", "/etc/letsencrypt/live/doh.powerdns.org/privkey.pem") Good luck!