Implmented from RFC 1035 DNS wire protocol
TODO clean up readme
Notes to self: DNS:
- The phone book of the internet
- "example.com" is the name, IP address is the phone number to actually connect to it
- think Map<Name, IP>
DNS resolution process:
- type "example.com" into browser
- browser asks OS "what is the IP address for example.com?" so it can actually connect
- OS passes this question to a DNS RESOLVER, typically provided by ISP
- RESOLVER checks it's cache, if it doesn't know, it goes out and checks:
-
- Root DNS servers | "Who is in charge of
.com?"
- Root DNS servers | "Who is in charge of
-
- TLD server | "Who handles
example.com?"
- TLD server | "Who handles
-
- Authoritative server for
example.com| "Here's the IP you wanted"
- Authoritative server for
-
- IP address gets passed back up the chain:
- RESOLVER gives it to OS
- OS gives it to browser
- browser goes to that IP
Problem:
- By default DNS queries are sent unencrypted over TCP/UDP (typically to port 53)
- Since unencrypted/plaintext:
- Eavesdroppers can view traffic (ISP, anyone on the network)
- Manipulators can intercept & modify response
DOH solution:
- Use this server instead of default DNS resolver
- Encrypt and send all DNS queries over HTTPS instead of TCP/UDP
- Decrypt response from DNS provider like cloudflare/google, and return IP addr to browser
Optional add-ons to consider adding:
- Logging :: save/timestamp requests (could save in sqlite)
- Filtering :: child-filter / block ads etc
- Visuals :: webview or tui (like HTOP) to view requests live with charts etc