-
|
i have configured dnscrypt-proxy to listen on 127.0.0.1:53 - well, not really, because it's the default. i can verify this on linux with ss -tunap, et cetera. however, when i use nextdns, static, doh3, dnscrypt-proxy creates a new socket with the address 0.0.0.0 ( = any interface ?) and a randomly assigned port number (changing all the time) in state unconn (because it's udp). i understand that doh3 uses udp, port 443 as its transport protocol, and that udp is a connectionless protocol. so i suppose this means that each dns request is sent as a separate packet, and there is no guarantee that the packets will arrive in the same order that they were sent. the port number is randomly assigned to each packet, so it changes each time a new packet is sent. i suppose the fact that the port number is randomly assigned helps improve security, because it makes it more difficult for attackers to track the dns requests that are sent to dnscrypt-proxy. i have to "assume" too much, so i am still concerned/confused by the fact that i see the local address 0.0.0.0(:~port_number) when i use doh3/nextdns/static. is there something "wrong" here? or is everything "just fine"? thank you for your help (hope). |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
What is "DOH3"? |
Beta Was this translation helpful? Give feedback.
-
|
Ah, found it. This is apparently a word NextDNS invented to refer to traditional DoH with HTTP/3. When a device wants to communicate with a server over the Internet (using TCP or UDP, it doesn't matter), it picks a port number, that the server will receive. That port number is required to allow the server to identify individual connections, if there are multiple ones coming from the same IP address. Without that port number, or if the port number was always the same, only one device behind a WiFi router could connect to Google at a time, as it wouldn't be possible for the server to send a response to a particular device. Port numbers can be chosen in any way, but picking them randomly is what most operating systems do, as it can indeed improve the security of some protocols. The tool you are using to view connections probably prints "0.0.0.0" as a way to refer to the IP address it uses to send data over the network. The actual IP address the server sees, and responds to, is the IP address assigned by your ISP. |
Beta Was this translation helpful? Give feedback.
-
|
thank you very much for your answer (and dnscrypt-proxy)! |
Beta Was this translation helpful? Give feedback.
Ah, found it. This is apparently a word NextDNS invented to refer to traditional DoH with HTTP/3.
When a device wants to communicate with a server over the Internet (using TCP or UDP, it doesn't matter), it picks a port number, that the server will receive.
That port number is required to allow the server to identify individual connections, if there are multiple ones coming from the same IP address.
Without that port number, or if the port number was always the same, only one device behind a WiFi router could connect to Google at a time, as it wouldn't be possible for the server to send a response to a particular device.
Port numbers can be chosen in any way, but picking them randomly is …