
Show HN: dingo - a Google DNS-over-HTTPS caching proxy in Go - pjf
https://github.com/pforemski/dingo
======
davidu
DNSCrypt ([https://dnscrypt.org/](https://dnscrypt.org/)) would be more
elegant here (DTLS also okay) and is in-band wrapper for DNS. It's what TLS is
for HTTP but for DNS and keeps things UDP.

Worth pointing out, this is not a google project, it just uses Google's DNS
over HTTP endpoint.

We have one we made at
[https://www.openresolve.com/](https://www.openresolve.com/)

------
pjf
Thanks for all your comments. Below I put quick replies to some of them:

1/ I hope to update the project to use QUIC soon, so it will use encrypted UDP
to fetch DNS data from Google Public DNS. It is somehow similar to the DNS
over DTLS idea, developed under IETF dprive WG.

2/ dingo does not need to resolve dns.google.com. Providing the server IP
address is enough (IPv4 or IPv6, make sure it is close to your location).
dingo verifies the server certificate to make sure we talk to Google. It can
even "spoof" the TLS SNI string to avoid HTTPS firewalls, too (by default it
asks for www.google.com, which is pretty benign).

3/ Last but not least, it's just my first non-trivial Golang project - thanks
for all your suggestions! :)

~~~
textmode
"It can even \"spoof\" the TLS SNI string to avoid HTTPS firewalls..."

Are you confirming SNI is being used for censorship?

~~~
clinta
Plenty of content blockers support blocking domains based on SNI. Here's just
a couple of examples from a quick google search.

[https://wiki.untangle.com/index.php/Web_Filter#HTTPS_Options](https://wiki.untangle.com/index.php/Web_Filter#HTTPS_Options)

[http://www.watchguard.com/help/docs/wsm/xtm_11/en-
us/content...](http://www.watchguard.com/help/docs/wsm/xtm_11/en-
us/content/en-us/proxies/https/https_domain_names_c.html)

------
wyattjoh
The use of `go run` here makes adopting this very hard. The benefit of using
Go for projects (in my experience) is that you can build for multiple OS/Arch
super, super easy. I'd thin that having uploaded artefacts would be the first
thing most people do when releasing Go code into the wild that is meant to be
consumed by someone just wanting to run the program.

~~~
icholy
go get github.com/pforemski/dingo

~~~
gouggoug
I think the point wyattjoh was making is that having to install the go
toolchain is hindering adoption and that giving downloadable binaries that you
could run directly, like `./dingo` would be nicer.

~~~
zalmoxes
Thats a great point. As a Go developer I always try to make sure that there's
a linux and binary for my small projects released on github. I'm surprised
more Go devs don't do this. The toolchain makes it very easy to update
releases. You can also use ldflags to set the current git revision and branch
into the project.

Here's an example release.sh I have in most of my projects
[https://github.com/micromdm/scep/blob/master/cmd/scepclient/...](https://github.com/micromdm/scep/blob/master/cmd/scepclient/release.sh)

------
allendoerfer
Encryption is nice, but does it have to be the overhead of HTTP? What would be
a sensible alternative protocol?

~~~
zokier
DNSCrypt or RFC7858 (dprive) are probably closest equivalents.

~~~
ademarre
I suppose it could also be implemented with DTLS [0] over UDP [1]. (Checking
Wikipedia...) A 2013 paper [2] published some vulnerabilities; mostly
implementation flaws, but it raised some questions about the core spec as
well.

However you implement it, encrypting DNS probably has it's place, but it
doesn't make a whole lot of sense for most applications.

[0]
[https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Secur...](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security)

[1] [https://tools.ietf.org/html/rfc6347](https://tools.ietf.org/html/rfc6347)

[2]
[http://www.isg.rhul.ac.uk/~kp/dtls.pdf](http://www.isg.rhul.ac.uk/~kp/dtls.pdf)

~~~
zokier
There are IETF drafts actively being worked on for DNS over DTLS:

[https://datatracker.ietf.org/doc/draft-ietf-dprive-
dnsodtls/](https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsodtls/)

[https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-
and-...](https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-
profiles/)

------
ShakataGaNai
Am I the only one who took a quick look at this and went "How can this DNS be
'secure' if it has to use normal DNS to look up dns.google.com?"

~~~
advisedwang
Because you validate the certificate presented so that you know the endpoint
is really Google.

------
x0rx0r
This is very cool. If you compile it into a go executable and run it with the
-dbg 3 option it shows all the lookup information for the clients.

------
yegle
My friend also wrote a similar tool in Go. This tool uses Taobao's API to
detect your external IP address so edns will not be fixed string.

[https://github.com/ayanamist/gdns-go](https://github.com/ayanamist/gdns-go)

------
vemv
What problem does this project solve?

It's not immediately obvious what the thing does from the description.

~~~
dexterdog
When you are out and about with your laptop you are usually making your DNS
calls to the local router which many view as a big privacy concern. Even if
you use something like google's 8.8.8.8 and 8.8.4.4 public DNS servers as your
defaults the traffic is easily sniffable.

~~~
icebraining
When you connect to any site, your browser sends the domain in clear-text
(even for HTTPS - see SNI). The only way to avoid this is to use a VPN, but
then you can route regular DNS over that too.

------
jzelinskie
This code needs a pass through gofmt, among many of the other Go linting
technologies.

