Well, for proxying I'd generally prefer DoT over DoH, but that's certainly nothing against this PR :-)

Doing random review.

I was able to rebase this branch on nixos-19.09 and run the https-dns-proxy service. However, it did not work out of the box (DNS queries made by, for example, dig @127.0.0.1 -p 5053 github.com timed out).

Turns out this is because I don't have IPv6 connectivity on my machine, and https-dns-proxy only tries to use an IPv6 address for doing upstream queries, unless instructed otherwise.

I think that -4 needs to be added to https-dns-proxy options unless networking.enableIPv6 is true. This can be accomplished by adding https-dns-proxy's own enableIPv6 option which defaults to networking.enableIPv6.

Once I added -4 to extraArgs, DNS resolution worked for me.

Even if networking.enableIPv6 = true (and it is by default), you have no guarantee that IPv6 actually works. For mobile devices that can even change dynamically, and it's my perception that people especially want to encrypt DNS on connections like in a coffee shop, hotel, ... and those in my experience tend not to have IPv6.

Considering that networking.enableIPv6 is true by default, and it's far more probable to encounter a IPv4-only network rather than IPv6-only network, setting the local enableIPv6 option to false by default makes sense, indeed.

(And maybe it should be called useIPv6, or even connectViaIPv6.)

Yes, unless they implement the recommended approach of trying both protocols in parallel with preference to IPv6.

We now have preferIPv4 which is set to true by default. I haven't tried it yet but will be giving it a go tonight.

I tried the new version. Now it does use -4 by default, but it still doesn't work out of the box. :( However, if I switch provider to "google", it starts working.

Upon further investigation: cloudflare-dns.com has two IPv4 addresses: 104.16.248.249 and 104.16.249.249. 104.16.248.249 one does not work for me:

> curl -H "Host: cloudflare-dns.com" https://104.16.248.249/dns-query -k -v                              ~
*   Trying 104.16.248.249:443...
* TCP_NODELAY set
* connect to 104.16.248.249 port 443 failed: Connection timed out
* Failed to connect to 104.16.248.249 port 443: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to 104.16.248.249 port 443: Connection timed out

Turns out this IP is blocked by the Russian Federation government. :(

For 104.16.249.249, I receive an (empty) response, which is normal, I suppose.

Previously, this PR used Google's 8.8.8.8 for determining DoH provider IP address, and it returns 104.16.249.249 and then 104.16.248.249; so a "good" IP was used. Now, this PR uses Cloudflare's 1.1.1.1 for determining DoH provider's IP address, and it returns 104.16.248.249 and then 104.16.249.249; so a "bad" IP is used.

I don't know what would be a proper solution here. The problem is strictly local, so it could be ignored; on the other hand, it's present for a large territory. Using 8.8.8.8 as a bootstrap DNS server works as a work-around, but it's probably a random effect that shouldn't be relied upon. Defaulting provider to google would make the service work out of the box, but I would rather see cloudflare as a default. The problem would be solved if the https-dns-proxy program somehow tried multiple IPs and used the one that works, but this doesn't look like a trivial enhancement, and is outside the scope of nixpkgs.

Now, this PR uses Cloudflare's 1.1.1.1 for determining DoH provider's IP address, and it returns 104.16.248.249 and then 104.16.249.249; so a "bad" IP is used.

CloudFlare rotates the records randomly on each reply, precisely because some dumb clients always use the first one (even though they shouldn't act that way). We actually discussed this with them.

CloudFlare rotates the records randomly on each reply, precisely because some dumb clients always use the first one (even though they shouldn't act that way). We actually discussed this with them.

Ok, I tested this, and several consecutive requests to 1.1.1.1 indeed produced results in different order. 8.8.8.8 actually does the same, so I was just lucky the first time, and unlucky the second time.

cc @andir

I can definitely follow your line of thinking but I will argue that making things accessible beats being "ideologically pure" and that it's better to give people something that works out of the box with relatively sane defaults. I mean, why even provide this considering everybody should be using tor? So what I will do is this: 1. change the PR to allow people to specify the upstream servers 2. expand on the description using the link you provided to inform people about the consequence of their choice of upstream provider If someone just does 'enable = true;' things will work. If somebody such as yourself wants to use a specific upstream, that will work too. Everybody is happy, kittens will sing and free money all around.

ok

This hasn't had a very high priority for me, so I've just changed the PR to only include the packaging. The module will come later.

@GrahamcOfBorg build https-dns-proxy