Mass DNS over HTTP

[andrew-aladev]

Hello. I want to tell you about DNS over HTTP. Some people ignores this theme. I want to promote it in terms of mass DNS resolutions.

Let we have an example:

curl -v -H 'accept: application/dns-json' 'https://dns.google.com/resolve?name=fit.com&type=A'

We are not limited to dns.google.com ip addresses. Google allows to proxify dns service via google.*, google.co.*, images.google.com, translate.google.com, etc.

curl -v --resolve dns.google.com:443:173.194.222.138 -H 'accept: application/dns-json' 'https://dns.google.com/resolve?name=fit.com&type=A'

You can "scan" google subnets and find that thousands of ip addresses could proxify DNS.

216.58.192.0/24, 216.58.193.0/24, ...
172.217.18.0/24, 172.217.19.0/24, ...
172.217.22.0/24, 172.217.23.0/24, ...

There are a holes in these subnets (for example 173.194.50.0/24), because dns.google.com cert is not compatible with some google services.

Now let me introduce cloudflare. Their subnets are the best gift ever. It looks like certificate for cloudflare-dns.com is compatible with at least 500 thousands of ip addresses.

curl -v --resolve cloudflare-dns.com:443:104.16.200.100 -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=fit.com&type=A'

104.16.0.0/16, 104.17.0.0/16, 104.18.0.0/16, ...

It is possible to accumulate several millions of endpoints and provide good load on google and cloudflare.

---

Disadvantages:

1. Google and Cloudflare could ban client ip addresses if it will provide huge load on their network.
2. DNS over HTTP is provided by these companies only.

---

PS Do not forget that we could process multiple DNS queries via single tcp connection before connection will become broken. "keep-alive" or HTTP/2 will improve this story.

Thank you.

[alexey-milovidov]

+1 to this feature.

Some cloud providers (like Hetzner) don't like it if you do a high number of DNS requests.
But if you use DNS over HTTPS they have no choice.

[alexey-milovidov]

We need this feature.