You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

RIPE Atlas

Threaded
Collapse

[atlas] Feature request DNS DoH measurement

Yang Yu

2020-05-20 22:00:27 CET

Hi,

As DoH is getting more adoption, it would be interesting to have DoH
query support on Atlas. With support added as an additional protocol
for DNS measurement (currently TCP/UDP), most measurement
creation/result parsing settings can be reused.


Yang

User Image

Philip Homburg

2020-05-22 10:29:32 CET

RIPE NCC staff member

On 2020/05/20 22:00 , Yang Yu wrote:
> As DoH is getting more adoption, it would be interesting to have DoH
> query support on Atlas. With support added as an additional protocol
> for DNS measurement (currently TCP/UDP), most measurement
> creation/result parsing settings can be reused.

>From a technical point of view it is not that simple. RFC 8484
recommends at least HTTP/2. Currently there is no support for HTTP/2 in
the Atlas measurement code.

The bigger problem however is that there is a policy for RIPE Atlas to
not allow http requests to arbitrary destinations. The reasoning is that
connecting to certain webservers from certain countries could bring
trouble to the probe hosts.

Of course policies are not set in stone. However, nobody has come up
with a better policy proposal.

Note that Atlas does support DNS over TLS.

Dave .

2020-05-23 08:35:34 CET

Hi,

Would it be possible for your servers to first verify whether a DOH address
is really a DNS before running actual atlas tests? If you can do it from an
IP address that also hosts a web page that explains the purpose of the
test, anyone investigating traffic coming to them is easily informed.

Thanks,
Dave


Op vr 22 mei 2020 om 10:29 schreef Philip Homburg <philip.homburg _at_ ripe _dot_ net>:

> On 2020/05/20 22:00 , Yang Yu wrote:
> > As DoH is getting more adoption, it would be interesting to have DoH
> > query support on Atlas. With support added as an additional protocol
> > for DNS measurement (currently TCP/UDP), most measurement
> > creation/result parsing settings can be reused.
>
> From a technical point of view it is not that simple. RFC 8484
> recommends at least HTTP/2. Currently there is no support for HTTP/2 in
> the Atlas measurement code.
>
> The bigger problem however is that there is a policy for RIPE Atlas to
> not allow http requests to arbitrary destinations. The reasoning is that
> connecting to certain webservers from certain countries could bring
> trouble to the probe hosts.
>
> Of course policies are not set in stone. However, nobody has come up
> with a better policy proposal.
>
> Note that Atlas does support DNS over TLS.
>
>
User Image

Philip Homburg

2020-05-25 10:52:20 CET

RIPE NCC staff member

On 2020/05/23 8:35 , Dave . wrote:
> Would it be possible for your servers to first verify whether a DOH
> address is really a DNS before running actual atlas tests? If you can do
> it from an IP address that also hosts a web page that explains the
> purpose of the test, anyone investigating traffic coming to them is
> easily informed.

Some people want to use DoH from within a browser. If that gets popular,
it could be that many webservers would also have DoH endpoints.

In any case, for now that might be a sensible solution. Some time ago it
was proposed that the MAT working group would handle policy proposals
for Atlas. So, whoever wants to make the effort to push the policy
proposal through, please contact the chairs of the MAT wg on how they
would like to handle this.

Philip