Durum

durum 🌾 (named after durum wheat) is a service that allows Wikimedia DNS users to check if they have correctly configured and are using Wikimedia DNS as their DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resolver.

Compared to traditional unencrypted DNS, DoH and DoT are newer protocols that encrypt your DNS queries and in the absence of discovery mechanisms for them, configuring your browser or operating system to use DoH/DoT is a manual process. durum's purpose is to help assure users that they have configured Wikimedia DNS correctly and that it is being used for their DNS lookups.

durum is served as a web application from check.wikimedia-dns.org and works by checking the origin of a *.check.wikimedia-dns.org query. It does not log any user data but instead relies on the source of a DNS query to make the distinction between Wikimedia DNS and some other recursor.

• User navigates to check.wikimedia-dns.org from their browser.

• durum's server serves an HTML page with some JavaScript.
  • The JavaScript makes a request for $UUID.check.wikimedia-dns.org/check/, where $UUID is a unique test ID generated by a client-side UUID generator.
    • If the user is using Wikimedia DNS: The query goes to Wikimedia DNS and it returns an IP for *.check.wikimedia-dns.org, depending on if the query was received on the DoH port (443) or the DoT port (853).
      • The query is not forwarded to gdnsd (the authoritative nameserver for wikimedia-dns.org) as Wikimedia DNS returns the IPs itself.
      • The two different IPs allow us to differentiate if the user is using DoH or DoT.
    • If the user is not using Wikimedia DNS: The query goes through their recursor to gdnsd which returns the IP address for *.check.wikimedia-dns.org. Essentially, no.check.wikimedia-dns.org, since if the query went to gdnsd, they are not using Wikimedia DNS.

• The user's browser gets the resolved IP (yes for DoH, DoT; or no) and proceeds to create a connection to it.

• On durum's server, it listens on the three different IPs: (two) yes and (one) no that return corresponding JSON responses: the yes IP returns {"wikidough": true, "service": "doh", "site": "eqiad", "ipv": "ipv4"} or {"wikidough": true, "service": "dot", "site": "eqiad", "ipv": "ipv4"}, while the no IP returns {"wikidough": false, "service": null, "site": null, "ipv": null}.

• The JavaScript code on check.wikimedia-dns.org checks the JSON response and updates the HTML to display the check result.

You can directly query the durum service, without the web application frontend. This is also useful for users who don't have JavaScript enabled in their browsers.

If Wikimedia DNS is being used as your resolver, this should return a JSON response of {"wikidough": true, "service": "doh/dot", "site": "eqiad"/"codfw"/etc., "ipv": "ipv4"/"ipv6"}:

curl https://check-${RANDOM}.check.wikimedia-dns.org/check

In theory, we could just ask users to query for test.check.wikimedia-dns.org (or some other fixed address) instead of generating a fresh UUID every time the check is run. But since the DNS query for a non-unique name such as test.check.wikimedia-dns.org may be cached (by a local cache; your stub resolver; your recursor), it is important that every query for this test is unique and the UUID helps do that. Without this UUID, it is possible that you may get an incorrect cached response instead of the actual check response for your resolver; the UUID helps prevents such cases and is facilitated by the TTL for *.check.wikimedia-dns.org, which is set to five seconds.

• We do not log anything related to this service; not even the nginx access logs.
• durum is not a generic "what is my DNS resolver" service, like dnsleaktest.com or 1.1.1.1/help. It is only meant to tell users if they are using Wikimedia DNS and not if they are using some other recursor.
• durum is an anycasted service similar to Wikimedia DNS.