Skip to content

Commit

Permalink
update docs to cover DoH privacy via an additional proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
cottand committed Nov 2, 2024
1 parent d971425 commit e8179f0
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 8 deletions.
29 changes: 21 additions & 8 deletions doc/src/DNS/Privacy.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,6 @@ for most major browsers ([see how here](https://developers.cloudflare.com/1.1.1.

See how to set it up for leng at [DNS-over-HTTP](DNS-over-HTTPS-(DoH).md).

If all you want is to use DoH, and you do not really care about ad/tracking-blocking,
using leng instead of an existing DoH provider directly has little
benefit: you will be getting
all the features of DoH, but the DNS provider will still know what you are visiting.
There isn't an easy way around this: we need to resolve your DNS query somehow!



## As a DoH proxy

Expand All @@ -27,8 +20,9 @@ If you have your own private secure network, you can stop
attackers from learning what websites you visit by using leng as
a secure proxy:

```mermaid
<div style="text-align: center">

```mermaid
graph TD
subgraph Secure Network
U("🧘 User") --> |"🔓 Insecure\nDNS-over-UDP"|L[Leng]
Expand All @@ -37,6 +31,8 @@ graph TD
A("👿 Attacker") ---> |Cannot see contents\nof DNS requests | Up
```

</div>

This way you allow 'insecure' DNS, but only inside your network,
and your requests are private to external attackers.

Expand All @@ -48,3 +44,20 @@ other methods. You can choose the upstream DoH resolver in the
> Note that this method is only as secure as your network is!
> Ideally set up as many devices as possible to use DoH directly

## Preserving privacy against a single upstream

If you do not trust upstream providers with your privacy, ideally you should
not send all your requests to any one of them. Because of the authoritative nature of DNS, asking _some_ upstream
cannot be avoided, but the best you can do is use a fully recursive resolver like [unbound](https://github.com/NLnetLabs/unbound).
You can still use non-recursive DNS proxies (leng, blocky, or CoreDNS) and their features
by using unbound as your upstream, and letting unbound resolve your queries.

<div style="text-align: center">

```mermaid
graph LR
you(("You")) --> leng(leng) --> unbound(unbound) -.-> u1["upstream A"] & u2["upstream B"] & u3["upstream C"]
```
</div>
2 changes: 2 additions & 0 deletions handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,8 @@ func (h *EventLoop) responseFor(Net string, req *dns.Msg, _local net.Addr, _remo
return nil, false
}

// if we were doing DNS over UDP, and we got a truncated response,
// we retry in TCP in hopes that we do not get a truncated one again.
if mesg.Truncated && Net == "udp" {
mesg, err = h.resolver.Lookup("tcp", req, h.config.Timeout, h.config.Interval, h.config.Upstream.Nameservers, h.config.Upstream.DoH)
if err != nil {
Expand Down

0 comments on commit e8179f0

Please sign in to comment.