Re: [Doh] Running code

Massimiliano Fantuzzi <> Wed, 07 March 2018 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A3E2128961 for <>; Wed, 7 Mar 2018 07:35:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AOYyGZwXJ8bY for <>; Wed, 7 Mar 2018 07:35:11 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2F0E812778D for <>; Wed, 7 Mar 2018 07:35:11 -0800 (PST)
Received: by with SMTP id s198so3124695qke.5 for <>; Wed, 07 Mar 2018 07:35:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=nurtxQDfpXiBfEfyVIXtlbWwcKcXwjO1ibq5Ouo4yno=; b=YEDDpo33CdsTnsVLpgUmF3mZLYpBpnhekJh7vZlIlf1GWWcqdOqTTm7ya96eDclA0x QrqOmwZfvEGAq6wfPjS5MJbeM5PLZpyPSv5lmGc0UaOaCXBoRiAaiTbNTRHSlrC1StIK 1Cj/PB8yRHTJh96bpbfRvpdBjuJbv1M/e8MMYOdIuxRYHvahJIxMqho5OcxGUenfYykR f0IbUqmxHViHmWYTU+Tz+b/LMJhiABiPbyMGKCYtQ3rN2W4FnTDh+M9GDVWqrzZocTWH wZHiOq4Jqqd3JKoA4l6Au7anOywc1gzQQ9vLlsU8VstxqqBZukDviDs7eQBsUHgjtTB5 WtBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nurtxQDfpXiBfEfyVIXtlbWwcKcXwjO1ibq5Ouo4yno=; b=JYZ9U8SU76kbbCd8KgIDleiEVet3UFmo3z7EAuUKXH72RdMhmuUOLAZVAQUn68O7r1 t9OYPvRyUUpeC5j6EQR8bP4lg92tCa+3YQ7FnyixdJjZ4e65ZFTMkkL6ykwHaks6o+cq PAwuBo8lnsu0XepnOnPYtNe+UPUdGUi+ig8ONLDrNYClAJ9L/+XlEdic8j2D6ev25xeB HOFIRwdQ8wpkfA6fhxM3NJdNUqiYbV1UylcMqTcXCzvfa35Qvo7iDu5MFoku1fDN9i26 Rxz3WPCrXswk/i0bIFcWmp/J5S2vyKc2Z2R1W++LehbXZ10LzrP9A27IRMTeWxi24K6c oE9g==
X-Gm-Message-State: AElRT7H8QmZdb8busHKiUJbjN5kk94yWnFwxWT6vHNfDj/QWVSP3O7fB G6eBuhCaudwDe2klCc1WBz48kpa8ByIXVNslJ9e/HQ==
X-Google-Smtp-Source: AG47ELvHdl9u9Tqvu1GghgCrlsibvNVByM7VUI3GXGA+/e0MqSYHhmb8rKnB2eSty9F+H6oJwjZ03bAhILxKghv43mw=
X-Received: by with SMTP id u6mr33770455qke.175.1520436909602; Wed, 07 Mar 2018 07:35:09 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 7 Mar 2018 07:35:08 -0800 (PST)
From: Massimiliano Fantuzzi <>
Date: Wed, 7 Mar 2018 16:35:08 +0100
Message-ID: <>
Content-Type: multipart/alternative; boundary="089e08e589a5e67a8a0566d44dc6"
Archived-At: <>
Subject: Re: [Doh] Running code
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Mar 2018 15:35:19 -0000

Hi to the Doh mailing list and group,

Bringing your attention to an interesting project (born around 2009).
DNSP is written in C (local client server) and PHP (remote resolver):  it WAS NOT built on "H2 compliancy" by
the time, quite obviuously.
Now thanks to more recent CURL libs, the H2 part has been added and passing
tests; by this weekend I can commit to have it completely DOH-aware.

Some functions/plugins for DNSP are being staged and to be released soon.
more features are to be supported with minimum effort.
Redis cache for example is trivial, adding QUIC might be not. Please let me
know your feedback !
The tree of the project might look ugly to you; I am not a software
engineer, just a passionate technician (sysadmin/networking/webservers/db)
with sufficient debug skills.

The initial credit goes to Andrea Fabrizi who created alpha DNSP back in
Since 2010 I have been thinking of how to expand further this idea, got
lucky enough to test its functionality within a small satellite-provider in
some time later (2013) [1]
Andrea has fully authorized me to take on his project as he would not have
interest or time to carry on. Code changed quite a bit, but the core hasn't
(principle was good).
I even created an Arduino version, as POC and for fun :)

As I could not find any draft on a DOH topic back then (DNSSEC was rolling
out) I cannot even name that many experiments on embrionic-Doh ancestors,
per my knowledge,
The only 3 examples deserving a credit for being innovative in vehiculating
DNS over differernt channels are to me "dnspod"[2] and Pcap_DNSProxy[3] and
more recently, ChinaDNS[4]. Might there be other, I let you complete.

 - DNSP did its modest job, against DNS censorship,
and leaks, offering a *mitigation* to TOR-leaks and helping people bypass
Chinese walls or anycast/proximity DNS... outside of Torsocks (i was on
that for short time).
 - It also proved being "practical" on highly-delayed network paths with
possibly high packet loss (airplane use squid to cache traffic as much as
 - since geolocation, anycast and CDNs step into the game, such a tool
showed being helpful as valuable workaround in *some* situation (an user
reported watchning Netflix via DNSP, not sure if still holds true, is not
my scope).

Hopefully just less than a month ago I discovered the D-o-H draft version 3
and this working group....
*Such a reliev !! I have been wating on DoH even prior it's "officiial"
birth :)*

After I got to know about the upcoming London IETF Hackathon, I am
implementing DOH-set-of-features including ease of use and ease of deploy
(for the moment is more a local DNS than a distributed one, not
impossible to scale out, is just threads and send_to).
The phase of making it compliant with DOH-proposed-format(s) is almost
completed (check README or run the code).
In my simplicistic roadmap I am still somehow willing to support Google DNS
and keep supporting my ultrabasic standard (the q-type is contained in
GET/POST request, simplicistic but my initial purposes was to shorten
answers, by tailoring the response packet without ADDITIONAL and AUTHORITY
sections) and veichulating such via proxied HTTP (fast responses, TTL

Probably there was no buzz about DNS over HTTP because such
transport/encapsulation direction was not foreseenable or desired few years
ago.... surely there will be objections, in terms of traceability (law
enforcement to mention one).
The increased demand for "anonimity", for "security", along with the
increasing size of DNS messaging and the advent of H2 made it convenient to
*try* and serve the DNS by the same mean we serve web-pages, possibly along
the same iteration (i.e. browser integration with APIs). I have again some
doubts on the logging of such requests, but this is probaly an open point

Then just to complete the story, some times in 2016 I have seen Google
HTTPS DNS service being published but I was busy so I sincerely do not
remember interacting with it alot. [5]
Unfortunately, I think it didn't raise alot lot of interest, neither it got
fully advertised... Is it true? Am i totally wrong?

Happy to address you all, apologise for long thread/simple language. Hope
you will appreciate DNSP as wannabe DOH local server.

See you 17/18 March at the Hilton Metropole !
Thanks for your time,
Massimiliano (Max)


[1]: satellite connectivity made me needing short responses and HTTP is
more friendly to billing, UDP was getting lost and users unhappy.
[2]: made in China out of similar branch of mine ( and https:// htt
[3]: chinese windows proxy was just inspirational sometimes and made me
curious about China internet situation, but this project had no HTTP
[5]: Just my 2c: let's compare for a second the SPDY evolution into H2, and
look at DOH (or alternatives of it) as the next promising tech. IMHO, this
Google DNSHTTPS experimental product came bit lately than "expected".
How many millions users are on standard DNS ? Whole enterprises
(not nice of them, that's why they *used to* get throttled)... The
forwarder view offered by Google has been "accepted" by its users since
longer time than any other "free" DNS service, i.e. OpenDNS. We believe
that Google did an astounding commercial choice in using all 8s
digits. This is why I say that this DNS/HTTPS Google service was launched
"late", just because big G earned an enormous share on the free DNS market
and oviously is always in the position to help supporting DOH
adoption/advertisement with such a easy mnemonic choice !! Free-of-charge
google services are attractive. I recall that Google service is not DOH
compliant, but i see a common intent. Does anyone have some numbers on HTTPS service, in terms of active users (or system
uptime/faults) ? just approximately ? BTW, IBM owns and HP, mnemonic choices do "avoid re-translating something we
already known by heart" (is a bit like "thinking in the same language your
conversation happens to be", considered a must in foreign languages

With kind regards,
Massimiliano Fantuzzi


*Massimiliano Fantuzzi*
*IT professional, expert in DB Linux and networks.*

*+41 76 754 1037 <%2B41%2076%20754%201037>*