Wikimedia DNS
Wikimedia DNS (formerly called Wikidough), is a caching, recursive DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver service.
This page is intended to be a technical introduction and discussion of the project. For a more general introduction and why we are working on Wikimedia DNS, please see the page on Meta-Wiki.
A Note About Encrypted DNS
Please note that while DNS protocols such as DoH and DoT encrypt DNS queries between your client (like Firefox) and a resolver (Wikimedia DNS), an on-path observer (such as your ISP) can still identify which websites you are connecting to through the SNI field in the ClientHello message (currently unencrypted) or the IP address of the website. Nevertheless, given that DNS-based censorship and surveillance is often the easiest to implement, securing your DNS is a good first step towards improving your privacy. The Encrypted Client Hello extension (ECH; formerly called Encrypted SNI) to TLSv1.3 encrypts the SNI field and because of how it works, ECH requires encrypted DNS to be effective. Coupled together and once properly deployed, these two technologies will help address long-standing issues with privacy of users on the internet.
Design
Wikimedia DNS has two primary components: a dnsdist frontend and a PowerDNS Recursor backend. The choice of two separate components in Wikimedia DNS is intentional and stems from the lack of support for new encrypted DNS protocols such as DoH and DoT in most recursive resolver software (including PowerDNS Recursor) as they only accept queries over traditional unencrypted DNS (UDP/53) from users.
Thus dnsdist provides the frontends for DoH and DoT and performs TLS termination, while the actual DNS lookups are performed by PowerDNS Recursor. Both of these components are running on the same host; dnsdist accepts queries from users (listening on 0.0.0.0/0 and ::/0) and sends them to a local PowerDNS Recursor instance (listening on 127.0.0.1).
Features
Encrypted DNS
Wikimedia DNS supports DoH on TCP/443 and DoT on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikimedia DNS, but users are reminded to be mindful of the differences between the protocols themselves.
Wikimedia DNS does not and has no plans to support unencrypted DNS over UDP/53 or TCP/53.
Modern TLS Protocols
Wikimedia DNS supports TLSv1.3 for DoH, and TLSv1.2 (AEAD ciphers only) and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikimedia DNS prioritizes ChaCha20-Poly1305.
[ Test for DoH | Test for DoT ]
No EDNS Client Subnet*
To preserve the privacy of clients and their IP addresses, Wikimedia DNS does not support the EDNS-Client-Subnet extension, [*] except and only for queries to Wikimedia's authoritative nameservers. This means that Wikimedia DNS shares the client IP address only with DNS servers that are run and operated by the Wikimedia Foundation; this is required for gdnsd's GeoIP plugin to function correctly to route users to their closest Wikimedia data center.
EDNS-Client-Subnet is not enabled for queries destined for any other name servers.
[ Test to verify ECS is disabled | Test to verify ECS is enabled for queries to Wikimedia's DNS servers ]
Query Name Minimisation
Wikimedia DNS supports query name minimisation to increase the privacy of user queries by not sending the full query name to authoritative nameservers. When you look up en.m.wikipedia.org with Wikimedia DNS and because of query name minimisation, Wikimedia DNS only reveals wikipedia.org to the .org name server and not the en.m label.
[ Test to verify qname minimisation is enabled ]
DNSSEC
Wikimedia DNS is a DNSSEC-validating resolver. Wikimedia DNS will always perform validation of queries regardless of the client's intention to validate and will respond with SERVFAIL in case of a bogus response.
[ Test to verify DNSSEC is enabled and validated ]
IPv6 Support
Wikimedia DNS supports IPv6 for both its DoH and DoT frontends.
EDNS(0) Padding
Wikimedia DNS currently does not support EDNS(0) Padding as described in RFC 7830 but support for it is upcoming.
Deployment
Wikimedia DNS is currently deployed as an anycasted service on all our PoPs.
Our current deployment of Wikimedia DNS runs dnsdist 1.8.0 and PowerDNS Recursor 4.8.4. The dnsdist package is backported from Debian sid and is available at apt.wikimedia.org.
Source Code
The deployment of Wikidough corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough role and profile and customized with the configuration data from wikidough.yaml.
The configuration files for dnsdist can be found at dnsdist.conf.erb and for PowerDNS Recursor at recursor.conf.erb.
Testing
knead-wikidough is a test suite for the production testing of Wikimedia DNS. It helps validate the existing deployment of Wikimedia DNS by testing its TLS and DNS settings and the interaction of the dnsdist and PowerDNS Recursor components.
Check Service
durum is the check service for Wikimedia DNS.
To ensure that you have correctly configured and are using Wikimedia DNS, please visit the Wikimedia DNS check page at check.wikimedia-dns.org.
Technical Notes
- Troubleshooting: blocking IP addresses, rate-limiting.
- Administration: adding a new Wikimedia DNS host.
- Monitoring: details about Icinga checks.