security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

explain DNS-over-TLS test query in detail

Browse Source
This commit is contained in:
Daniel Micay 2023-01-02 11:57:05 -05:00
parent 5121bbea01
commit 63d70eaf45
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
static/faq.html
View File

@ -941,8 +941,27 @@
the Google service if you prefer.</p> the Google service if you prefer.</p>
</li> </li>
<li> <li>
<p>DNS connectivity and functionality tests involving connections to <p>A test query is done via DNS-over-TLS in the automatic and manually
the network / user provided DNS resolvers</p> enabled modes to detect if DNS-over-TLS is available. It won't happen
when DNS-over-TLS is disabled. For the automatic mode, it uses this to
determine if it should be using it and for the manual mode it uses it
to report an error. This DNS query is not used to make a connection to
the resulting resolved IP.</p>
<p>GrapheneOS queries the DNS resolver for
<code><var>randomstring</var>-dnsotls-ds.dnscheck.grapheneos.org</code>
by default but switches to using the standard
<code><var>randomstring</var>-dnsotls-ds.metric.gstatic.com</code>
when the HTTP(S) connectivity check mode is set to Standard (Google)
instead of the default GrapheneOS mode or Disabled mode to avoid
identifying itself as GrapheneOS to the DNS resolver. The DNS-over-TLS
test query will still happen with HTTP(S) connectivity checks disabled
but DNS-over-TLS can be disabled by disabling Private DNS.</p>
<p>The random string is used to bypass DNS caching to make sure the
DNS resolver. It's generated with a cryptographically secure random
number generator (CSPRNG) for each request and therefore can't leak
any identifying info.</p>
</li> </li>
<li> <li>
<p>DNS resolution for other connections involving connections to the <p>DNS resolution for other connections involving connections to the