DEV Community

Cover image for How I made a poor man's personal Oblivious DNS over HTTPS
Ahsan Nabi Dar
Ahsan Nabi Dar

Posted on • Updated on

How I made a poor man's personal Oblivious DNS over HTTPS

What is better than a personal Ad blocking DNS node? personal DoH node and whats better than DoH ? Personal ODoH node 😎 . ODoH is a new proposed DNS standard co authored by Cloudflare, Apple and Fastly. Not yet publicly available to use for the masses, there are some clients made available by cloudflare, details in the link, I ain't using any of them for my setup/version of ODoH 😉

The good old DNS is too old to have any modern day security or privacy concerns addressed
DNS

DNS over HTTPS is a much needed upgrade it protects user DNS queries from internet service providers or intermediary parties and ensures no MIM attack or blocking of traffic, there are some critics that raise their concerns over its malicious use as governments and authorities can't track user requests. There is one place where this information is available from, which is upstream DNS server responding to the queries. Many claim no logging, logging for short period for audit purposes (cloudflare) or anonymously store the requests (google). So user IP is "leaked" to the DNS provider.

DoH

Enters Oblivious DNS over HTTPS

As per the foundation of the new standard
"ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time. "

ODoH

So I decided to upgrade my Personal DNS to not just DoH but ODoH.

Ideally an ODoH would have separate hosting of proxy and target as its main underlying principle is proxy and target can not collude hence their communication needs to be encrypted. For my case as long as I separate my IP from the DNS it does fulfill the ODoH criteria as traffic between my proxy(obliviator) and target(PiHole) is private and the upstream DNS is over HTTPS via cloudflared

The service that acts as a proxy is written in Elixir, this keeps it fast and can make it faster by adding some caching to it. Its called Obliviator. It sends queries to PiHole masking client IP. Reason I selected Elixir is because of how it operates and no single query will slow down the service or error cause failure.

Learned a lot of new interesting stuff and that Wire Format is a pain to work with, thanks to the open source world to have its implementations to make it work, didn't have to implement and could work with a library for this project. Also no one uses that 'application/dns-json' content-type every service uses 'application/dns-message'.

PiHole in my setup now no more sees the IP of the client and I have an HTTPS endpoint for DoH clients to send queries. It does fulfill the criteria and even if I missed something its better than nothing.

Alt Text

The entire thing is a little more complex than I put in words for my setup hence named it JARVIS

Alt Text

And my (O)DoH can even out perform #Google (at times) 😬

Alt Text

Alt Text

Discussion (0)