Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Chuck Aurora Newsgroups: comp.protocols.dns.bind Subject: Re: DoH plugin for BIND Date: Sat, 02 May 2020 14:31:28 -0500 Lines: 52 Approved: bind-users@lists.isc.org Message-ID: References: <20200502165717.E5F0F18A2F4E@ary.qy> Reply-To: bind-users@lists.isc.org NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Trace: usenet.stanford.edu 1588447898 6311 149.20.1.60 (2 May 2020 19:31:38 GMT) X-Complaints-To: action@cs.stanford.edu To: bind-users@lists.isc.org Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org Mail-Reply-To: bind-users@lists.isc.org Mail-Followup-To: bind-users@lists.isc.org In-Reply-To: X-Sender: ca@nodns4.us User-Agent: Roundcube Webmail/1.2.5 X-Spam-Status: No, score=-1.5 required=5.0 tests=KAM_INFOUSMEBIZ, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: X-Mailman-Original-References: <20200502165717.E5F0F18A2F4E@ary.qy> Xref: csiph.com comp.protocols.dns.bind:15716 On 2020-05-02 13:23, Erich Eckner wrote: > Will there be client-side DoT/DoH support in bind, too? E.g. will my > recursive (or forwarding) resolver be able to resolve upstream dns via Well, a recursive resolver cannot use DoT/DoH for iterative queries to authoritative NS servers, unless authoritative servers offered DoT/DoH, and I don't think that's likely to happen. Basically by deciding you want DoH/DoT upstream, you also have decided that you want to use forwarders. I can't speak for ISC about their DoT/DoH intentions, but I would expect they'll do it both as server and as client (of a forwarder.) Note that DoT/DoH typically only encrypts the enduser-to-resolver hop, beyond which it's just standard unencrypted DNS. Of course named as DoT/DoH client could encrypt the hop to a forwarder, but again, just standard DNS is used beyond that point. > those? I don't see, how I could use a reverse proxy or stunnel to > achieve this, currently (assuming, the authoritative dns server > supports DoT and/or DoH, of course), If this is so, there's still, to my knowledge, no protocol for it. How would a nameserver know which NS hosts to send DoH/DoT queries to? DNS needs to be fast, and DoH/DoT upstream could create very significant lag. > because I would need one stunnel > per upstream dns server which I do not know in advance - right? Right. I guess the DoH/DoT thing came about as a means of dealing with (or bypassing) nosy and greedy and dishonest ISPs. But then you're giving all your queries to an upstream forwarder. Are you sure they are more trustworthy? :) What I wonder, at the possible cost of thread hijacking (sorry!) is, are any ISPs actively sniffing their customers iterative queries? It certainly is possible, but I expect it would be too much work. I do know that an ISP of which I was formerly (!) a customer would sometimes redirect my DNS traffic to their own recursive resolvers. Since I was running my own nameserver all I could get during those times were tons of "lame server" logs and DNSSEC failures. If this is the case for you, I'd suggest doing as I did: vote with your feet; give your money to a better ISP. If your home/office network is secure from hostile users which can sniff traffic, DoH/DoT offers you nothing at all on that hop.