HTTPS-DNS (englisch)
Contents
This page is made for starting the project. The project's own website is under way. We are searching for software developers, webdesigners or translators who can invest some time in the realisation of the idea. Contact: https://www.awxcnx.de/HTTPSDNS.msg
Offensive-Scenario
It's possible that the censoring providers block out DNS-Traffic to alternative servers or switch on their own compromised ones. Possibly this offensive scenario is already projected. The DSL providers T-Online and Vodafone need six months time, to realise together with the BKA the guidelines from the censorship agreements. Heise.de reports:
Because the Kompromittierung des DNS-Systems is already running and both servers don't carry hundreds of DNS servers, we ask ourselves, which servers besides the DNS servers have to be manipulated and tested yet?
Until now the BKA denied the access to the contract according to law of freedom of information, because they say, that the contract is under protection of intellectual property and that the content going in publicputs at risk the public policy.
Even though in the current and voluntary contract there are no procedures intended, we reckon, that they could be established at short notice. The law to combat "child pornography at communication networks" is enunciated as technical open. It is determining that DSL providers have to realise all the necessary arrangements for an effective blocking of websites, which are putted from the BKA without a juristic check on a restricted list. An easy manipulation of DNS servers, which can be avoided with the help of a hundred instructions on the web in 27sec, is certainly not an effective blocking in the legal sense.
(Notice: An at least quarterly, random check of the restricted list by a toothless panel we don't see as a check in accordance with the rule of law, assuring the necessary separation of powers of democracy.)
Strategy Defense
DNS traffic will be tunneled through a HTTPS-keyed connection to uncensored DNS-Servers. A large extensive compromise of HTTPS-Encoding is certainly not enforceable. The whole commercial use of the internet would be concerned.
A block of the service can be realised just with the block of the whole offer from the HTTPS-Servers. Referring on the legal situation, there should be no juristic hold, as long the content of the web-offer does not offend against the law of the land.
The intention of the project simply consists in offering a uncensored and fast querying of DNS-Names. Compared to the use of anonymisation service there is no encoding of contents. The project is intended as a low-threshold amendment to anonymisation services, not as competition.
Software for Clients
Until now there is no HTTPS-DNS-Daemon for clients available. We work on it.
- Linux: in preparation
- MacOS: will base on the Linux-version
- WINDOWS: we are looking for software engineers !
At the moment it's only possible to query the three available webservers via webbrowser. The query can be occured with the IP-address of the webserver (like this the HTPPS-DNS-Clients will do it in future) or with the URL of the Wenservers, to avoid SSL-certificate- errors. It's possible to ask for the IP-Address or the MX (Mail-Exchange).
Query of the IP-address of the data processor domain.tld:
https://privacybox.de/cgi-bin/dns.pl/?query=domian.tld https://scusiblog.org/cgi-bin/dns.pl/?query=domian.tld https://www.awxcnx.de/cgi-bin/dns.pl/?query=domian.tld
For the query of the MX for domain.tld there is to declare additionally the parameter "record=MX":
https://privacybox.de/cgi-bin/dns.pl/?record=MX&query=domian.tld https://scusiblog.org/cgi-bin/dns.pl/?record=MX&query=domian.tld https://www.awxcnx.de/cgi-bin/dns.pl/?record=MX&query=domian.tld
Software for Server
Our intention is to use available and fully developed software. To the software should be added just a small component.
Requirements for a HTTPS-DNS-Server:
- The server has to assure a uncensored resolution of DNS-names.
- A webserver which assists HTTPS and CGI-scripts is required.
- The first Alpha-Version is a simple Perl-CGI-Script. Perl-Modules CGI, Data::Validate::Domain und Net::DNS are required.
Made available a server like that, you just need the following little script:
use CGI; use CGI::Carp qw(fatalsToBrowser); use Net::DNS; use Data::Validate::Domain qw(is_hostname); $query = new CGI; my $host_suspect= $query->param('query'); my $record_suspect= $query->param('record'); # untained the hostname my %options = ( domain_allow_underscore => 1); my $vali_host = Data::Validate::Domain->new(%options); my $host= $vali_host->is_hostname($host_suspect); # untained the DNS-Record my $record='A'; if((defined($record_suspect)) && ($record_suspect =~ /^(A|MX)$/)) { $record= $record_suspect; } # send the HTML header print "Content-type: text/html\n\n"; print '<html><head><title>answer</title></head><body>', "\n"; # perform DNS lookup if(defined($host)) { my $res = Net::DNS::Resolver->new; my $query = $res->search($host, $record); if ($query) { foreach my $rr ($query->answer) { if($record eq 'A') { print $rr->type, ':', $rr->address, "<br>\n"; } else { print $record, ':', $rr->exchange, "<br>\n"; } } } else { print "query failed: ", $res->errorstring, "\n"; } } else { print "query failed: wrong hostname\n"; } # print teh HTML footer print '</body></html>';
Until now the script makes it possible to query the IP-address and the MX of the domain.
The HTTPS-DNS-protocol
In the first Alpha-Version we use the following data-structures:
1: Die Anfrage an den HTTPS-DNS-Server wird als HTTPS-GET-Request gesendet.
https://www.server.tld/cgi-bin/dns.pl?query=example.com
2: The answer is a simple HTML-page, which provides the domain with A-Records or MX-Records.
<html><head><title>answer</title></head><body> A:123.123.123.123 A:234.234.234.234 </body></html>
In the future we will change probably to a XML-structure.