Testing 0-RTT for DoH/3

[LeonardWalter]

I want to test the 0-RTT capabilities of the client but in my traffic captures I never see any 0-RTT packets sent out from the client.
My server is a very basic caddy file server and reverse-proxy setup to a Routedns cleartext DNS over HTTP listener.
I'm using the latest caddy version that supports 0-RTT and can see 0-RTT traffic when I connect via Chromium. But not when using the dohclient.

Are there any public DoQ / DoH servers that support 0-RTT and work with this client?

[LeonardWalter]

Hi,
I spent some more time testing this and found these instructions for quic-go here on how to enable 0-RTT: https://quic-go.net/docs/http3/client/#using-0-rtt

The TLS session cache was missing.
I opened PR #387, but I did not implement a toggle for 0-RTT. Now it is the default behavior when QUIC/H3 is used, which might be a security concern for some people.
I made some changes to the client code and now 0RTT also works with my caddy server. I was able to confirm it with Wireshark captures.

The following screenshot shows the Wireshark flow graph captured from my caddy reverse proxy. I am capturing traffic from the public and loopback interface.
The traffic was triggered by the routedns dohclient. The graph shows how the DNS query is forwarded to the local DoH resolver after the first QUIC messages.

[folbricht]

Thanks for looking into this and providing a fix. I do think we may want a toggle in config to turn it on rather than defaulting to it given the potential risks. Most people likely want to turn it on anyway but perhaps not everyone.

[cbuijs]

My 2 cents: I tend to think making it default is okay, running it now close to 24 hours straight without any issues. The whole point of quic was/is 0-rtt? But having a configuration-switch would be cool anyway.

[cbuijs]

BTW, just wondering if the "listeners" need something as well?

[LeonardWalter]

Yes, both listeners are missing support for 0-RTT at the moment.
Also, the DoQ client is still not using 0-RTT, it should use some version of DialEarly. (https://quic-go.net/docs/quic/client/#0-rtt)

[LeonardWalter]

Just added a new commit to the PR that adds the toggle.
I also updated the examples to include Use0RTT.

Some hours ago I changed the DoQ client to use DialEarly.
I tested both the DoQ client and DoH/3 client with a server that allows 0RTT and can confirm that 0RTT is used for reopening connections.

[cbuijs]

Is it me, it seems that that the documentation says to use enable-0rtt = true in the config, but is should be Use0RTT = true?

Documentation examples also use both, in the code it seems to be Use0RTT though.

Seems inconsitent? Both are accepted in the config, but I cannot see the difference when used.

See here in documentation:

routedns/cmd/routedns/example-config/doq-client.toml

Line 10 in 77da034

enable-0rtt = true

routedns/cmd/routedns/example-config/doh-quic-client.toml

Line 3 in 77da034

# Use0RTT will overwrite the method to GET.

Code:

routedns/cmd/routedns/resolver.go

Line 28 in 77da034

Use0RTT: r.Use0RTT,

[folbricht]

It's definitely enable-0rtt in all configs, Use0RTT is the internal name used in code only. The critical bit is

routedns/cmd/routedns/config.go

Line 62 in 77da034

Use0RTT bool `toml:"enable-0rtt"`

which maps from one to the other.

One of the comments was wrong though and I just fixed that in #400

[LeonardWalter]

Hey, I had some time to further test 0-RTT with the DoH and DoQ listeners. I was able to get them both working with 62d4c81 and 7dceef5 in PR #414
For DoH it only required Allow0RTT: True in the QUIC config.

For DoQ I switched to an EarlyListener and also removed the 2 second context.WithTimeout. I did not really understand why this was there, as it causes an abrupt termination to the entire quic connection. This can also be seen from the client that outputs an error message when trying to resolve a new query:

DEBU[13389] temporary fail when trying to open stream, attempting new connection endpoint="myserver.org:8853" error="Application error 0x0 (remote)" protocol=doq

These changes add support for 0RTT to both DoH and DoQ listeners. I did not make it configurable as it is already configurable for the client.