Jump to content

Wikimedia DNS

From Meta, a Wikimedia project coordination wiki
Hostnamewikimedia-dns.org
IP address (IPv4)185.71.138.138
IP address (IPv6)2001:67c:930::1
Supported protocolsDoH and DoT
Tracked in Phabricator:
Task T252132

The short explanation: The Wikimedia wikis get blocked or users might be tracked as they edit. This is one of ways in which the Wikimedia Foundation SRE/Traffic team tries to combat those problems.

Wikimedia DNS (formerly called Wikidough), is a caching, recursive, public DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver service that is run and managed by the Site Reliability Engineering (Traffic) team at the Foundation. Wikimedia DNS helps prevent some surveillance and censorship of our wikis and other websites by securing DNS lookups.

This document outlines what the service is about, why the SRE/Traffic team is working on it, and what benefits it provides for the Wikimedia community. We welcome any discussions about this project on the talk page.

Introduction to DNS

[edit]

What is DNS?

[edit]

The Domain Name System (DNS) is the phonebook of the internet. It provides a lookup of domain names (such as wikipedia.org) to their IP addresses (208.80.154.224). Whenever you visit a resource on the internet like a website, a DNS resolver — typically run by your Internet Service Provider (ISP) — resolves the domain to an IP address and is the first step in the creation of a connection to a website. Without the IP address you won't be able to find the right website. This process happens in the background and because of the way the internet works, most people automatically connect to their ISP's DNS resolver to perform these DNS queries.

DNS is a critical part of the internet and DNS lookups happen regardless of which resource you want to access or where you access it from (mobile or phone).

DNS-based surveillance and censorship

[edit]

Even though DNS has been around for decades, a DNS query (what is the IP address of wikipedia.org?) and the response (the IP address is 208.80.154.224) are not encrypted. This is a significant privacy and security risk. An on-path observer — such as your coffee shop, ISP, or your government — can observe your DNS queries/responses and build a list of the resources you access on the internet, and perhaps worse, censor you by preventing access to content they deem unacceptable.

Since we are primarily concerned with censorship in the context of the movement, Wikipedia and other Wikimedia projects have been censored through DNS and this has been observed in various countries where we are active. DNS censorship is easy to implement, scales effectively, and also since DNS is the first step in the connection to a remote resource, most ISPs and governments use DNS censorship to prevent people from accessing content on the internet.

As an example, censoring queries for *.wikipedia.org to prevent people from accessing any language edition of Wikipedia is trivial to implement in most DNS resolver software and is a one-line change.

DNS encryption

[edit]

To solve the problem of surveillance and censorship of DNS, various DNS encryption protocols have been proposed over the years. Due to various reasons including a lack of a standard, adaptability, implementation, none of the proposed protocols have seen mass adoption until DNS-over-HTTPS was proposed and standardized in 2018. The Mozilla Firefox browser helped push adoption of DoH by enabling it by default for US users in 2020 and has since rolled this out to other countries as well.

DoH and DoT

[edit]

DNS-over-HTTPS, also called DoH, encrypts DNS by sending queries and getting responses over HTTPS, thus preventing censorship and surveillance: because an on-path observer can no longer see the queries or the responses, they cannot censor it or build a profile of the data. DoH works by sending DNS queries over a secure HTTPS channel.

DNS-over-TLS, also called DoT, is a related DNS encryption protocol offering encryption over just TLS. It hasn't seen the same rate of adoption DNS-over-HTTPS has seen for various reasons that we will discuss later. Nevertheless, we consider both of these protocols related for the purpose of this discussion and the Wikimedia DNS service, even though there are differences between them at the protocol level.

To use this new DNS encryption technology, you need a DoH- or DoT-enabled client and a resolver.

Wikimedia DNS

[edit]

Wikimedia DNS is a public DNS-over-HTTPS and DNS-over-TLS resolver service. For users who wish to secure their DNS lookups to prevent surveillance or to circumvent DNS-based censorship, Wikimedia DNS helps protect your DNS queries/responses by providing encryption of the same. For a user securing their DNS lookups via Wikimedia DNS, all that an on-path observer or a censor can see is a connection to the Wikimedia DNS service but not the content of the DNS queries or responses.

History of Wikimedia DNS

[edit]

The SRE/Traffic team in the Wikimedia Foundation is tasked with running the Wikimedia proxy servers and data centers. We are also interested in understanding where and how our websites are censored on a technical level. HTTPS makes it impossible for censors to block access to specific articles, thus forcing them to choose between blocking nothing or the entire website. We are not concerned with censorship of the content of the articles — even though that's related — but rather the website/ecosystem as a whole.

In studying and researching censorship of Foundation websites, we discovered that the most common form of this censorship was through filtering the DNS. The idea of running a secure, encrypted DNS service thus stemmed from those observations. The annual plan for FY 2022–23, under its goal for Safety and Inclusion, talks about "Implement technical improvements to strengthen security and privacy of volunteers on-wiki, protect against surveillance, and enhance the communities' ability to effectively govern themselves and address disinformation and human rights risks." You can follow the task on Phabricator.

Wikimedia DNS FAQ

[edit]

Why is Wikimedia running this service?

[edit]

We cannot recommend external resolver services such as those run by Google, Cloudflare, Quad9, among others, for a variety of reasons. We have no control over how these services are run or what private data is logged. Even though most of these services have explicit privacy policies, they do log some data and we have no control or insight into that.

Furthermore, some of these services use content filtering. Cloudflare's DNS service for families has been caught blocking LGBTQ content. Other services indulge in various forms of content filtering as well.

The SRE team is well poised to run such a service and can provide a reliable alternative to secure DNS resolver services run by for-profit corporations.

Does this project solve all internet censorship issues?

[edit]

No. While DNS protocols such as DoH and DoT encrypt DNS queries between your client (like Firefox) and a resolver (Wikimedia DNS), an on-path observer (such as your ISP/government) can still identify which websites you are connecting to through the SNI field in the ClientHello message (currently unencrypted) or the IP address of the website. Nevertheless, given that DNS-based censorship and surveillance is often the easiest to implement, securing your DNS is a good first step towards improving your privacy and resisting censorship.

The Encrypted Client Hello extension (ECH; formerly called Encrypted SNI) to TLSv1.3 encrypts the SNI field and because of how it works, ECH requires encrypted DNS to be effective. Coupled together and once properly deployed, these two technologies will help address long-standing issues with privacy of users on the internet. While this doesn't solve all our issues, we also need encrypted DNS for future work against surveillance and censorship to be effective.

Can't a censor just block this as well?

[edit]

Yes, a censor can just block Wikimedia DNS. But we believe that coupling encrypted DNS with Encrypted Client Hello (that depends on encrypted DNS) is going to make the blocking of websites more difficult, thus helping minimize the possibility of blocking Wikimedia DNS because censors will no longer be able to see the SNI for it. Additionally, most censors don't typically block DNS resolvers, as observed by the prevalence and usage of 1.1.1.1 and 8.8.8.8.

Wikimedia DNS is not a complete solution to all censorship issues. It is just one part of our strategy in fighting against censorship and while it might not help protect all users everywhere, it will help secure DNS lookups for the vast majority of them and help lay the foundation for upcoming protocols.

Can you explain the ECH and Client Hello part a bit more?

[edit]

Let's assume you want to connect to en.wikipedia.org. The first step is the DNS resolution, so a DNS resolver will give you back the IP address of en.wiki for you to create a connection to it. The next stage in that process is that when you want to connect to the IP address, you have to specify the server name indication or the SNI as well, which in this case is en.wikipedia.org. This SNI field, like DNS, has been unencrypted so far and a censor that has the capabilities to inspect your traffic can see that you are connecting to en.wiki and prevent you from making that connection.

SNI-based censorship is the most common form of restricting access to websites (not just ours) after DNS, the difference being that it requires more resources in the form of specialized blocking equipment that does deep-packet inspection on the traffic so not every censor is motivated to pursue it or has the equipment to be able to do so.

Encrypted Client Hello (formerly called Encrypted Server Name Indication or ESNI), encrypts this SNI field, preventing a censor from blocking traffic based on the SNI field. ECH depends on encrypted DNS to be effective as the key distribution for ECH happens over DNS HTTPS resource records. In the absence of encrypted DNS, a censor could simply filter or poison the DNS result, making ECH ineffective. The Firefox browser for example will not enable ECH if encrypted DNS is also not enabled.

Thus the work on Wikimedia DNS not only secures DNS but also lays the foundation for future implementations of internet security protocols such as ECH.

Do I need to install some extra software to use this?

[edit]

All major desktop and mobile operating systems and browsers support either DoH or DoT in 2023. Users will need to point their browser/OS to Wikimedia DNS but no extra software is required.

There are no discovery mechanisms for DoH and DoT yet, so the configuration is still manual; the hostname or IP address of the service is all that is required for someone to use the service.

If you don't want to use Wikimedia DNS nothing will change for you.

What do I need to use this?

[edit]
  1. A client that supports DoH or DoT. You can find a list here.
  2. The URL of the service (https://wikimedia-dns.org/dns-query) or the IP address, IPv4: 185.71.138.138 or IPv6: 2001:67c:930::1.
  3. Or the DNS Stamp: sdns://AgcAAAAAAAAADjE4NS43MS4xMzguMTM4ABF3aWtpbWVkaWEtZG5zLm9yZwovZG5zLXF1ZXJ5 (to reach over IPv4) or sdns://AgcAAAAAAAAAEVsyMDAxOjY3Yzo5MzA6OjFdABF3aWtpbWVkaWEtZG5zLm9yZwovZG5zLXF1ZXJ5 (to reach over IPv6).

Is this a VPN?

[edit]

No. Using Wikimedia DNS does not relay the contents of the communication and does not change the IP address of a user. It only secures the metadata, which in this case is the DNS lookup.

Why not run a VPN service instead?

[edit]

Running a VPN service requires a lot more resources and carries with a lot more liability, as we would be relaying the contents of the transmission as well, not just the metadata.

There are also usability and accessibility issues with VPNs. Those who know what VPNs are and can configure them will use them whereas most other users won't be able to do that. Thus if we are offering a censorship circumvention tool, it should work for everyone and while we are not there with DoH or DoT yet, those protocols are more standardized and easier to use than setting up and running a VPN client.

Will this affect IP masking or any other vandalism-fighting tools?

[edit]

No. Wikimedia DNS does not affect those in any way. Checkusers, stewards and others will still have access to the same information about editors if they use Wikimedia DNS as if they are not.

Does this require a username/password or some other form of authentication?

[edit]

No, just the hostname or the IP address. This is a public service and can be used by anyone.

Can this be restricted to just the Wikimedia community?

[edit]

No. We have no technical way of restricting access to the service. Anyone with the hostname/IP address can use it.

Does this enable bad actors on the internet to secure their DNS lookups?

[edit]

Yes, Wikimedia DNS, just like another DNS service (and even the one run by your ISP), can allow bad actors to perform DNS resolution and to secure their DNS lookups. Note that Wikimedia DNS just provides the metadata for the communication (the phone number) but it is not involved in the actual communication itself (the phone call). Thus the utility Wikimedia DNS provides to bad actors is quite limited when they have better tools available to secure the contents of the communication itself, such as the many free and commercial VPN services or other proxies.

Wikimedia DNS is an alternative to already available commercial DNS providers and is not the only such service. Most people will still use Google and Cloudflare to secure their DNS lookups because these services will be much faster than ours because of the scale at which they operate.

I have configured the service. How do I make sure that I am using it?

[edit]

Once you have set up Wikimedia DNS, you can visit https://check.wikimedia-dns.org/ to confirm that your DNS queries are going over Wikimedia DNS and not your local/ISP's resolver.

You can also directly access the API from the command line: curl https://${RANDOM}.check.wikimedia-dns.org/check.

DoH vs DoT. Which one should I use?

[edit]

Wikimedia DNS supports DoH on TCP/443 and DoT on TCP/853. Users can select either protocol to secure their DNS as both DoH and DoT share the same privacy and security guarantees within Wikimedia DNS, but users are reminded to be mindful of the differences between the protocols themselves.

  • DoH running on port 443 makes it harder for it to be blocked as censors would have to block potentially all HTTPS traffic. DoT runs on a dedicated port, 853, thus making it easier to block.
  • Typically, DoH support is in the browser (thus securing DNS lookups only from within that browser), while DoT lookups happen at the OS level, for all applications. DoT might be more preferable in that sense unless censorship is an issue.

Instructions

[edit]

To get started with using Wikimedia DNS, please see the detailed Wikimedia_DNS/Instructions page.

Privacy policy

[edit]

Wikimedia DNS is still being beta-tested and evaluated both internally and with our community. As such, there are no guarantees of the reliability or future availability of the service, and there is no formal privacy policy published yet. That said, our current configuration (visible here: dnsdist.conf.erb and recursor.conf.erb) does not currently log anything.

We currently intend, in broad strokes, to adhere to the Foundation's long-standing values around privacy-related issues, as well as to Mozilla's TRR policy, when and if this service is more-formally launched in the future.

Technical details

[edit]

You can find a more exhaustive list of technical features on the Wikitech page but here is a summary:

  • This is an anycasted service, running on all six of our data centers. You should in most cases connect to the data center nearest you, even when you configure it with the IP address.
  • Wikimedia DNS supports strong encryption: TLSv1.3 and TLSv1.2 (AEAD ciphers only) for DoH, and TLSv1.3 for DoT. For mobile clients (or clients that otherwise prioritize it), Wikimedia DNS prioritizes ChaCha20-Poly1305.
  • This is meant to be a secure DNS service and we don't support unencrypted DNS over either UDP or TCP and have no plans to do so.
  • IPv6 is fully supported.

Source code

[edit]

The deployment of Wikimedia DNS corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough (codename) role and profile and customized with the configuration data from wikidough.yaml.

The configuration files for dnsdist can be found at dnsdist.conf.erb and for PowerDNS Recursor at recursor.conf.erb.

Current deployment

[edit]

Wikimedia DNS is currently deployed on all six data centers, running on two ECMP load-balanced Ganeti virtual machines (for a total of 12 VMs). There are an additional twelve VMs for the check service (check.wikimedia-dns.org) above.

Contact

[edit]

The Wikimedia DNS project is by the SRE/Traffic team. We welcome questions, comments and discussions about the project on the Talk page.

For technical discussions about the project, please join our IRC channel: #wikimedia-traffic on Libera Chat. The email contact for the team is wikimedia-dns@wikimedia.org.