[anti-censorship-team] Development plan sketch for a DNS pluggable transport

David Fifield david at bamsoftware.com
Thu May 7 06:34:41 UTC 2020

Earlier I posted how to use Tor through my new DNS tunnel.

Here's a sketch of what development tasks would be needed to turn it
into a proper pluggable transport. I estimate it would be about a GSoC's
worth of work, though it's too late to be a GSoC project this year. It
would be a good project for someone who wants experience with the
mechanics of implementing a pluggable transport, using a circumvention
component that's already working.

- Replace command-line interface with managed goptlib interface.
  - Client
      ClientTransportPlugin dns exec dns-client
      Bridge dns FINGERPRINT domain=t.example.com doh=https://dns.example/dns-query pubkey=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
  - Server
      ServerTransportOptions dns mtu=1232
      ServerTransportPlugin dns exec ./dns-server
- Make the server generate a keypair on first run, store it in pt_state
  like obfs4proxy.
- Add uTLS to the client to disguise TLS fingerprint.
- Add ExtOrPort support to the server.
  - For USERADDR, choose a distinguished placeholder client address. See
    the last paragraph of
- Bonus: Enhance the bridge configuration panel to enable configuring
  the resolver without kludges like "meek-google" and "meek-amazon".
  - Or ship with a list of resolvers and choose one at random.

I don't know whether a DNS transport is deployable by default like other
transports, but it could be a good thing to have in reserve.

More information about the anti-censorship-team mailing list