维基媒体DNS

The Domain Name System (DNS) is the phonebook of the internet. It provides a lookup of domain names (such as wikipedia.org) to their IP addresses (208.80.154.224). Whenever you visit a resource on the internet like a website, a DNS resolver — typically run by your Internet Service Provider (ISP) — resolves the domain to an IP address and is the first step in the creation of a connection to a website. Without the IP address you won't be able to find the right website. This process happens in the background and because of the way the internet works, most people automatically connect to their ISP's DNS resolver to perform these DNS queries.

To solve the problem of surveillance and censorship of DNS, various DNS encryption protocols have been proposed over the years. Due to various reasons including a lack of a standard, adaptability, implementation, none of the proposed protocols have seen mass adoption until DNS-over-HTTPS was proposed and standardized in 2018. The Mozilla Firefox browser helped push adoption of DoH by enabling it by default for US users in 2020 and has since rolled this out to other countries as well.

DNS-over-HTTPS, also called DoH, encrypts DNS by sending queries and getting responses over HTTPS, thus preventing censorship and surveillance: because an on-path observer can no longer see the queries or the responses, they cannot censor it or build a profile of the data. DoH works by sending DNS queries over a secure HTTPS channel.

DNS-over-TLS, also called DoT, is a related DNS encryption protocol offering encryption over just TLS. It hasn't seen the same rate of adoption DNS-over-HTTPS has seen for various reasons that we will discuss later. Nevertheless, we consider both of these protocols related for the purpose of this discussion and the Wikimedia DNS service, even though there are differences between them at the protocol level.

Wikimedia DNS is a public DNS-over-HTTPS and DNS-over-TLS resolver service. For users who wish to secure their DNS lookups to prevent surveillance or to circumvent DNS-based censorship, Wikimedia DNS helps protect your DNS queries/responses by providing encryption of the same. For a user securing their DNS lookups via Wikimedia DNS, all that an on-path observer or a censor can see is a connection to the Wikimedia DNS service but not the content of the DNS queries or responses.

The SRE/Traffic team in the Wikimedia Foundation is tasked with running the Wikimedia proxy servers and data centers. We are also interested in understanding where and how our websites are censored on a technical level. HTTPS makes it impossible for censors to block access to specific articles, thus forcing them to choose between blocking nothing or the entire website. We are not concerned with censorship of the content of the articles — even though that's related — but rather the website/ecosystem as a whole.

In studying and researching censorship of Foundation websites, we discovered that the most common form of this censorship was through filtering the DNS. The idea of running a secure, encrypted DNS service thus stemmed from those observations. The annual plan for FY 2022–23, under its goal for Safety and Inclusion, talks about "Implement technical improvements to strengthen security and privacy of volunteers on-wiki, protect against surveillance, and enhance the communities' ability to effectively govern themselves and address disinformation and human rights risks." You can follow the task on Phabricator.

SNI-based censorship is the most common form of restricting access to websites (not just ours) after DNS, the difference being that it requires more resources in the form of specialized blocking equipment that does deep-packet inspection on the traffic so not every censor is motivated to pursue it or has the equipment to be able to do so.

Encrypted Client Hello (formerly called Encrypted Server Name Indication, or ESNI), encrypts this SNI field, preventing a censor from blocking traffic based on the SNI field. ECH depends on encrypted DNS to be effective as the key distribution for ECH happens over DNS HTTPS resource records. In the absence of encrypted DNS, a censor could simply filter or poison the DNS result, making ECH ineffective. The Firefox browser for example will not enable ECH if encrypted DNS is also not enabled.

Thus the work on Wikimedia DNS not only secures DNS but also lays the foundation for future implementations of internet security protocols such as ECH.

All major desktop and mobile operating systems and browsers support either DoH or DoT in 2023. Users will need to point their browser/OS to Wikimedia DNS but no extra software is required.

There are no discovery mechanisms for DoH and DoT yet, so the configuration is still manual; the hostname or IP address of the service is all that is required for someone to use the service.

Running a VPN service requires a lot more resources and carries with a lot more liability, as we would be relaying the contents of the transmission as well, not just the metadata.

• Typically, DoH support is in the browser (thus securing DNS lookups only from within that browser), while DoT lookups happen at the OS level, for all applications. DoT might be more preferable in that sense unless censorship is an issue.

Wikimedia DNS is still being beta-tested and evaluated both internally and with our community. As such, there are no guarantees of the reliability or future availability of the service, and there is no formal privacy policy published yet. That said, our current configuration (visible here: dnsdist.conf.erb and recursor.conf.erb) does not currently log anything.

We currently intend, in broad strokes, to adhere to the Foundation's long-standing values around privacy-related issues, as well as to Mozilla's TRR policy, when and if this service is more-formally launched in the future.

You can find a more exhaustive list of technical features on the Wikitech page but here is a summary:

• This is an anycasted service, running on all seven of our data centers. You should in most cases connect to the data center nearest you, even when you configure it with the IP address.

• This is meant to be a secure DNS service and we don't support unencrypted DNS over either UDP or TCP and have no plans to do so.

The deployment of Wikimedia DNS corresponds to the source code in our Puppet repository. The dnsdist module covers setting up and configuring a dnsdist instance, the dnsrecursor module does the same for a PowerDNS Recursor instance, and both of these are called by the Wikidough (codename) role and profile and customized with the configuration data from wikidough.yaml.

The configuration files for dnsdist can be found at dnsdist.conf.erb and for PowerDNS Recursor at recursor.conf.erb.