Hello to DNS-over-HTTPS and ECDSA Keys

by Tykling @ October 04, 2020 21:27

This weekend I enabled DNS-over-HTTPS on all servers. I know many people have been waiting patiently for news on this front, so I am very pleased to announce that it is finally ready.

The DNS-over-HTTPS URLs are https://anycast.censurfridns.dk/dns-query and https://unicast.censurfridns.dk/dns-query. As always all the other domains can be used in place of censurfridns.dk: censurfridns.nu, uncensoreddns.org and uncensoreddns.dk.

At the same time all the servers got new ECDSA keys and certificates, which will be used for TLS instead of the RSA ones if your client supports it. This means you might see a different fingerprint depending on your client and configuration. All the public keys can be found on the servers page and I've opened a PR for Stubby to add the missing pins to their example config. My apologies if you are using pins with Stubby or otherwise and this change made things stop working for you. I always try to avoid downtime when possible. If you have been affected you can find the pins you need in the PR linked above.

This change does away with Nginx on the DNS servers entirely, in place of the lovely dnsdist which terminates both DoT and DoH now.

Many people over the years have asked me how to donate to keep this service running. I have recently been accepted to the Github Sponsors program, so if you want to donate now there is a good way to do so!

As always, feedback on the new features is very welcome. Catch me on IRC, Twitter, Mastodon or email :)

Tags: ecdsa doh