DNSCrypt (https://dnscrypt.org/) would be more elegant here (DTLS also okay) and is in-band wrapper for DNS. It's what TLS is for HTTP but for DNS and keeps things UDP.
Worth pointing out, this is not a google project, it just uses Google's DNS over HTTP endpoint.
Thanks for all your comments. Below I put quick replies to some of them:
1/ I hope to update the project to use QUIC soon, so it will use encrypted UDP to fetch DNS data from Google Public DNS. It is somehow similar to the DNS over DTLS idea, developed under IETF dprive WG.
2/ dingo does not need to resolve dns.google.com. Providing the server IP address is enough (IPv4 or IPv6, make sure it is close to your location). dingo verifies the server certificate to make sure we talk to Google. It can even "spoof" the TLS SNI string to avoid HTTPS firewalls, too (by default it asks for www.google.com, which is pretty benign).
3/ Last but not least, it's just my first non-trivial Golang project - thanks for all your suggestions! :)
Yes, the random padding (which is optional) is to counter-measure possible side-channel privacy attacks that could infer the domain name from the packet sizes.
If someone is doing DPI their best bet to know where are you connecting to is to look at the host in SNI, but if you're in a corporate environment with an explicit proxy, your computer would be sending a "CONNECT hostname.tld" in plain text anyway :)
The use of `go run` here makes adopting this very hard. The benefit of using Go for projects (in my experience) is that you can build for multiple OS/Arch super, super easy. I'd thin that having uploaded artefacts would be the first thing most people do when releasing Go code into the wild that is meant to be consumed by someone just wanting to run the program.
It's also quite easy to set up Travis-CI to build your project and push binaries to github releases on tagged pushes. Pretty much the first thing I do with every go project.
I think the point wyattjoh was making is that having to install the go toolchain is hindering adoption and that giving downloadable binaries that you could run directly, like `./dingo` would be nicer.
Thats a great point. As a Go developer I always try to make sure that there's a linux and binary for my small projects released on github.
I'm surprised more Go devs don't do this. The toolchain makes it very easy to update releases. You can also use ldflags to set the current git revision and branch into the project.
The literal only selling point for Go, from my perspective--as a software developer, platform engineer, and someone willing to put up with others' Go applications but under no circumstances could be paid enough to write it or fight with its ecosystem--is a statically linked binary deployable. It's not an unmitigated good, of course, for obvious and dependency-related reasons. But it's the only reason to consider a Go tool at all. Otherwise, I might as well be using a Python dependency. Or Ruby or Java.
I suppose it could also be implemented with DTLS [0] over UDP [1]. (Checking Wikipedia...) A 2013 paper [2] published some vulnerabilities; mostly implementation flaws, but it raised some questions about the core spec as well.
However you implement it, encrypting DNS probably has it's place, but it doesn't make a whole lot of sense for most applications.
When you are out and about with your laptop you are usually making your DNS calls to the local router which many view as a big privacy concern. Even if you use something like google's 8.8.8.8 and 8.8.4.4 public DNS servers as your defaults the traffic is easily sniffable.
When you connect to any site, your browser sends the domain in clear-text (even for HTTPS - see SNI). The only way to avoid this is to use a VPN, but then you can route regular DNS over that too.
Worth pointing out, this is not a google project, it just uses Google's DNS over HTTP endpoint.
We have one we made at https://www.openresolve.com/