now supports ODoH proxying

Earlier today, Cloudflare announced support for ODoH, a new protocol that (somewhat) solves the problem of having to place significant trust in your DoH provider. The solution involves leveraging a proxy to pass on your request in such a manner that the proxy doesn’t know what your request is, and the DNS resolver doesn’t know who you are. The solution is not perfect - if the proxy and the resolver collude, you’re back at where you started. However, with lower latency than DNS-over-HTTPS-over-Tor, and with (probably) more privacy than standard DNS-over-HTTPS, it might be a sweet-spot for some users. If you’re into this sort of tech, the blog post linked above is very interesting on the protocol and tradeoffs involved.

In any case, the DoH service I run at now also supports ODoH proxying, reverse proxying a stripped-down version of Chris Wood’s odoh-server.

To test this:

  1. Clone the odoh-client-go repo
  2. Change the default proxy mode to HTTPS in common.go
  3. Run go build -o odoh-client ./cmd/...
  4. Run ./odoh-client odoh --domain --dnstype A --target --proxy

You should hopefully see something like:

$ ./odoh-client odoh --domain --dnstype A --target --proxy
;; opcode: QUERY, status: NOERROR, id: 52470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;     IN       A

;; ANSWER SECTION:      8245    IN      A

As far as I’m aware there are no commonly used clients that support ODoH at the moment, but I will update the instructions on should that change.

Written by Feroz Salam on 08 December 2020