Feat: DNS lookup via the proxy (DoH) #507
Conversation
|
Nice! DoH is so underrated IMO. I even have a proxy that does DoH-over-SOCKS to achieve something similar, but system-wise. I'll review the code soon.
Also,
|
There was a problem hiding this comment.
I'm still lgetting the panic you've mentioned on 0824ab9
thread 'florestad' panicked at /registry/src/index.crates.io-6f17d22bba15001f/ureq-3.0.11/src/tls/rustls.rs:143:9:
No CryptoProvider for Rustls. Either enable feature `rustls`, or set process
default using CryptoProvider::set_default(), or configure
TlsConfig::rustls_crypto_provider()
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Wow, I thought it was working on my side, but you are right it doesn't. The error I mentioned was that both rustls backends were set at the same time, here we get the opposite thing. We need to enable the |
This implements a simple DNS lookup over the SOCKS5 proxy, such that we don't leak that we use Bitcoin **and** utreexo to the system-configured DNS server (usually from our ISP), or any eavesdropper. We use DNS-over-HTTPS (DoH) which means the DNS query is encrypted. The proxy won't be able to read the contents of the query nor the response. If we use tor as proxy, then the exit node won't see the contents either. This is also an advantage over the system DNS lookup, as most OS don't use DoT/DoH by default, they use plaintext UDP/TCP on port 53. This simple implementation uses the `ureq` crate (similar to `reqwest` but with compatible deps MSRV) and calls the dns.google JSON API. Google will only learn the proxy IP (or tor exit node IP) but not ours. In `florestad` I had to change the proxy address parsing code a bit, such that we directly parse a IP:port.
|
Now it works! I had to configure the ureq |
What is the purpose of this pull request?
Which crates are being modified?
Description
This implements a simple DNS lookup routed through the SOCKS5 proxy, such that we don't leak that we use Bitcoin and utreexo to the system-configured DNS server (usually from our ISP), or any eavesdropper.
We use DNS-over-HTTPS (DoH) which means the DNS query is encrypted. The proxy won't be able to read the contents of the query nor the response. If we use tor as proxy, then the exit node won't see the contents either.
This is also an advantage over the system DNS lookup, as most OS don't use DoT/DoH by default, they use plaintext UDP/TCP on port 53.
This simple implementation uses the
ureqcrate (similar toreqwestbut with compatible deps MSRV) and calls the dns.google JSON API. Google will only learn the proxy IP (or tor exit node IP) but not ours.Notes to the reviewers
ureq vs other crates (click to expand)
I had first implemented this with
reqwestbut many of its dependencies require a higher rust version (1.82 or more). Then I saw theisahccrate but it doesn't seem maintained anymore. Also theminreqcrate that we already have in ourcargo.lockdoesn't support SOCKS proxies. Soureqseems the best replacement forreqwest.Unfortunately
ureqdoesn't supportsocks5h, which means the dns.google hostname is resolved locally, but we don't leak that we use Bitcoin anymore.Cargo issues
The
cargo.lockfile diff is generated bycargo +1.74.1 generate-lockfile, but that bumps the version of a dependency of criterion calledhalfto one with higher rust requirements:So I just called
cargo +1.74.1 update [email protected] --precise 2.4.1which is the same version we have been using, so no diff.Another important thing is that we need the
ureq/rustls-no-providerfeature which avoids therustls/ringfeature, or we get some runtime panics inrustls:EDIT: The reason for this error is that
rustlsallows different crypto backends, and by default it uses theaws-lc-rsone, as explained in their docs. So when we usetokio-rustlsinflorestadandfloresta-electrum, we are using this default backend. But then theureqcrate (with default features) tries to userustlswith the alternativeringbackend, creating a backend conflict that errors at runtime.In this PR we simply keep using the
aws-lc-rsbackend already imported bytokio-rustls. Another option would be to use theringone (we already have this crate in ourcargo.lockanyway).