tina-hello/doh-cf-workers

DoT & DoQ support

tina-hello opened this issue · 1 comments

With the recent release of connect() for making outbound TCP connection in Cloudflare Workers, it's technically possible to currently write a forwarding to DoT servers instead DoH, and in the future, once the support for inbound TCP and QUIC is added, also forwarding from DoT & DoQ to any DoH, DoT, and DoQ server.

However, aside from the nonzero effort to learn about the new API and implement them, forwarding DoH GET requests to DoT/DoQ will be slightly more involved than simply forwarding DoH POST to DoT/DoQ, since the URL in DoH GET must be decoded first.

The actual benefit of extending support for DoT & DoQ will be minimal, for outbound, most servers that support DoT & DoQ likely support DoH too, and for inbound, if a government blocks DoH servers, then they likely already block DoT & DoQ entirely by closing down port 853.

Minimal doesn't mean none, Inbound DoT is very practical for Android users due to its native support, and even with an outbound that already supports DoT, using Cloudflare's cert avoids the dilemma in LetsEncrypt where supporting newer Android DoT means abandoning older Android DoT, and vice versa. So if someone creates a pull request about DoT/DoQ support, I will still review it.

DoH GET requests are auto-cached, so that's one optimization using DoT wouldn't have. That said, DNS over UDP is super fast in comparison to DoH / DoT. But, Cloudflare hasn't released that features since announcing it 2 (?) years ago. I'd imagine it involves a significant rewrite of their DDoS and other such tooling.