Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15716
| Path | csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Chuck Aurora <ca@nodns4.us> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: DoH plugin for BIND |
| Date | Sat, 02 May 2020 14:31:28 -0500 |
| Lines | 52 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.340.1588447885.942.bind-users@lists.isc.org> (permalink) |
| References | <20200502165717.E5F0F18A2F4E@ary.qy> <alpine.LNX.2.22.419.2005022019290.17860@desk.ddns.eckner.net> <d43c05c60b4a5284db47efa2c1247564@nodns4.us> |
| Reply-To | bind-users@lists.isc.org |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=US-ASCII; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1588447898 6311 149.20.1.60 (2 May 2020 19:31:38 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <ca@nodns4.us> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| Mail-Reply-To | bind-users@lists.isc.org |
| Mail-Followup-To | bind-users@lists.isc.org |
| In-Reply-To | <alpine.LNX.2.22.419.2005022019290.17860@desk.ddns.eckner.net> |
| X-Sender | ca@nodns4.us |
| User-Agent | Roundcube Webmail/1.2.5 |
| X-Spam-Status | No, score=-1.5 required=5.0 tests=KAM_INFOUSMEBIZ, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <d43c05c60b4a5284db47efa2c1247564@nodns4.us> |
| X-Mailman-Original-References | <20200502165717.E5F0F18A2F4E@ary.qy> <alpine.LNX.2.22.419.2005022019290.17860@desk.ddns.eckner.net> |
| Xref | csiph.com comp.protocols.dns.bind:15716 |
Show key headers only | View raw
On 2020-05-02 13:23, Erich Eckner wrote: > Will there be client-side DoT/DoH support in bind, too? E.g. will my > recursive (or forwarding) resolver be able to resolve upstream dns via Well, a recursive resolver cannot use DoT/DoH for iterative queries to authoritative NS servers, unless authoritative servers offered DoT/DoH, and I don't think that's likely to happen. Basically by deciding you want DoH/DoT upstream, you also have decided that you want to use forwarders. I can't speak for ISC about their DoT/DoH intentions, but I would expect they'll do it both as server and as client (of a forwarder.) Note that DoT/DoH typically only encrypts the enduser-to-resolver hop, beyond which it's just standard unencrypted DNS. Of course named as DoT/DoH client could encrypt the hop to a forwarder, but again, just standard DNS is used beyond that point. > those? I don't see, how I could use a reverse proxy or stunnel to > achieve this, currently (assuming, the authoritative dns server > supports DoT and/or DoH, of course), If this is so, there's still, to my knowledge, no protocol for it. How would a nameserver know which NS hosts to send DoH/DoT queries to? DNS needs to be fast, and DoH/DoT upstream could create very significant lag. > because I would need one stunnel > per upstream dns server which I do not know in advance - right? Right. I guess the DoH/DoT thing came about as a means of dealing with (or bypassing) nosy and greedy and dishonest ISPs. But then you're giving all your queries to an upstream forwarder. Are you sure they are more trustworthy? :) What I wonder, at the possible cost of thread hijacking (sorry!) is, are any ISPs actively sniffing their customers iterative queries? It certainly is possible, but I expect it would be too much work. I do know that an ISP of which I was formerly (!) a customer would sometimes redirect my DNS traffic to their own recursive resolvers. Since I was running my own nameserver all I could get during those times were tons of "lame server" logs and DNSSEC failures. If this is the case for you, I'd suggest doing as I did: vote with your feet; give your money to a better ISP. If your home/office network is secure from hostile users which can sniff traffic, DoH/DoT offers you nothing at all on that hop.
Back to comp.protocols.dns.bind | Previous | Next | Find similar | Unroll thread
Re: DoH plugin for BIND Chuck Aurora <ca@nodns4.us> - 2020-05-02 14:31 -0500
csiph-web