Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.protocols.dns.bind > #15695

Re: DoH plugin for BIND

Show all headers | View raw

Michael De Roover <isc@nixmagic.com> wrote:

> On that subject, how about DoT?

DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:

http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48

Note that if you enable DoT on port 853 on your normal DNS resolvers then
Android devices will use it automatically. (I get a lot more DoT traffic
than DoH traffic!) So it's worth tuning timeouts to control the number of
concurrent TLS and TCP sessions on your server. Android's DoT client is
very well-behaved so the server-side configuration knobs work nicely. Use
BIND 9.11 or newer so you can support concurrent queries on one
connection. As well as the nginx timeouts you can see at the link above,
my named.conf has:

	tcp-clients 1234;
	tcp-idle-timeout 50; # 5 seconds
	tcp-initial-timeout 25; # 2.5s minimum permitted
	tcp-keepalive-timeout 50; # 5 seconds
	tcp-advertised-timeout 50; # 5 seconds

The timeouts are short because they don't need to allow for much slowness
on our metropolitan-area fibre network. 5 seconds is based on my rough
eyeball assessment of when typical DoT connections are unlikely to be
re-used. The number of TCP clients is a guess.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

Re: DoH plugin for BIND Tony Finch <dot@dotat.at> - 2020-04-29 21:19 +0100

csiph-web