Authenticating client queries (crazy idea...?)

[DumboJetEngine]

From what I know, client DNS queries are normally not authenticated/authorized by DNS servers, nor any client software (OS, etc) allows setting up authentication for querying DNS servers.
I am not an expert, so correct me if I am wrong...

Would it be interesting if such a feature was supported to allow private communities to use their own DNS server(s), and prevent 3rd parties querying their public DNS server(s)?
I think it would be fun to have an internet community, with its own DNS servers, its own domain names that would be super-cheap to obtain, it own certificate authorities that work like Let's Encrypt, etc, etc. Especially in today's world where privacy threats and big-tech dominate and misuse the internet.
I am guessing this would require using a localhost DNS proxy on most OSes (Linux, Windows), that would recieve normal DNS queries and forward them to a DNS server with a modified DNS API (probably HTTPS-based) that allows for authentication/authorization.
Avoiding normal DNS queries would also prevent interception by ISPs.

This is just a crazy idea of mine and I was wondering if anyone thinks it is worth having such a thing (apart from me...), or if there is something similar to this already that I am not aware of.

[stratself]

Not an expert either, but you should be able to set up DoH behind some username-password combo and forward queries to Technitium. I tried with Traefik's basicAuth middleware and q and got some results:

~$ ./q A example.com @https://test:test@mydnsdomain.com/dns-query
example.com. 3m42s A 23.192.228.80

Using stuff like oauth2-proxy you might be able to integrate with an SSO provider too (via Authorization headers and such). The only problem left is to find a dns client that seamlessly handle these credentials with its DoH forwarders.

However I'd advise you of some pitfalls with this approach:

1. DoH queries with authentication adds extra overhead and decrease performance
2. Many privacy-conscious people would likely use a VPN and hence query with the VPN's resolvers. Using your own DNS server combined with the VPN would make you stand out amongst the crowd, because now your DNS queries are coming from said DNS server instead of from the VPN (websites like https://dnsleaktest.com can check for this)
3. Without a VPN, your ISP would also know which website you visit by tracking the SNI header anyways. There is a new protocol called Encrypted Client Hello which may reduce this, but it's not implemented widely and still doesn't protect against IP-guessing. So DoH is better seen as an anti-tampering approach

If you still would like to create your internet community and host such an auth-protected DNS server, I think it's fine as long as you and your members understand these things and their implications. Furthermore there are already services like NextDNS doing this. Lastly if you want to be your own Certificate Authority you'd also have to find a way to safely install those certs on your community members' devices.

For 2. and 3., I'm finding a way to self-host multiple Technitium instances on different commercial VPN "endpoints" (using Tailscale exit nodes + WireGuard). The setup should be able to sync blocklists and Technitium configs via the clustering feature, so it's safe to say version 14 comes out like a blessing. While the use case is simply just for a personal network, I'd hope to share a post about it when I'm ready. Only need to wait for next updates that adds support for custom node IPs in order to get it working.

[DumboJetEngine]

@stratself Thanks a lot for all the info on available tools and services!
I was not aware of most of these tools.

I am aware of possible delays and performace issues with what I envision to achieve.
Also, about the issues with manually installing certificates of trusted authorities, securing root certificates, etc.

For VPNs, it kinda goes against my desire to get rid of untrusted dependencies and paid services, so I think I will avoid this route.

Also, you are right about SNI leaking information anyways, but I am hoping some good solution will present itself sooner or later (I was not aware of Encrypted Client Hello either).
I guess that a solution would be to have everything as onion services, but then you have other issues and limitations...

In any case, I would be happy getting some "small wins".
I don't plan on creating a full-blown parallel internet.
But if I manage to do that, why not... 😁