DNSPod's GM DoH: China's First DNS over HTTPS with National Cryptographic Algorithms

This article introduces DNSPod's innovative GM DoH (DNS over HTTPS with Chinese National Cryptographic Algorithms), which represents a significant advancement in China's network security infrastructure.

Background and Evolution: DNSPod, created in 2005, originally solved the cross-ISP access speed issues in China's "South Telecom, North Unicom" era by automatically routing users to their corresponding ISP servers. Today, DNSPod has grown into a massive DNS service handling over 1.6 trillion daily resolutions, evolving from a simple domain resolution product to a comprehensive DNS solution provider.

Technical Foundation of DoH: DoH (DNS over HTTPS) uses HTTPS to transport DNS protocols, leveraging TLS for security. The TLS protocol implements confidentiality and integrity through certificate-based authentication and encryption mechanisms. The handshake protocol uses public-key cryptography: clients request and verify public keys from servers, then negotiate a "session key" for encrypted communication.

GM DoH Implementation: DNSPod's GM DoH adapts the key negotiation part of communication messages using SM2 cryptographic algorithms. During node handshake, SM2 cryptographic components and SM2 digital certificates are employed. The TLS flow with SM2 includes: 1) Client sends hello request and requests server certificate; 2) Server sends SM2 certificate containing SM2 public key; 3) Client verifies server certificate and initiates key exchange using server's SM2 public key to encrypt the pre-master secret; 4) Key exchange completes and subsequent data transmission uses the negotiated key.

Key Differences from Traditional TLS: The main differences include: using SM2 certificates instead of standard certificates, encrypting pre-master secrets with the server's SM2 public key, and incorporating hash values calculated from the server's SM2 certificate public key into client signature originals.

Significance: As the first DoH product in China supporting domestic cryptographic algorithms, GM DoH fills the technological and product gaps in China's domestically-controlled secure products. This represents not just a commercial product but a contribution to national network security infrastructure.