Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.protocols.dns.bind > #15724

Re: DoH plugin for BIND

Path csiph.com!weretis.net!feeder7.news.weretis.net!paganini.bofh.team!news.killfile.org!usenet.stanford.edu!not-for-mail
From "Browne, Stuart" <Stuart.Browne@team.neustar>
Newsgroups comp.protocols.dns.bind
Subject Re: DoH plugin for BIND
Date Tue, 5 May 2020 23:29:17 +0000
Lines 36
Approved bind-users@lists.isc.org
Message-ID <mailman.354.1588721355.942.bind-users@lists.isc.org> (permalink)
References <20200502165717.E5F0F18A2F4E@ary.qy> <alpine.LNX.2.22.419.2005022019290.17860@desk.ddns.eckner.net> <d43c05c60b4a5284db47efa2c1247564@nodns4.us> <2c2c9ed1-b657-c14f-ea5f-b5d04f0eaf94@thelounge.net> <3c35c784bd56115b9b3e07ea33c35e35@nodns4.us> <D7610813-3C75-4797-B942-21E7CAC9BA38@team.neustar>
NNTP-Posting-Host lists.isc.org
Mime-Version 1.0
Content-Type text/plain; charset="utf-8"
Content-Transfer-Encoding base64
X-Trace usenet.stanford.edu 1588721369 12018 149.20.1.60 (5 May 2020 23:29:29 GMT)
X-Complaints-To action@cs.stanford.edu
To "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Return-Path <prvs=63943e8bb2=stuart.browne@team.neustar>
X-Original-To bind-users@lists.isc.org
Delivered-To bind-users@lists.isc.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=FSp9OJdaRpRC0PhFSDe6ffUn27t0P5nOcgIjolr5IQQ=; b=Tdrxc3FwEaUE2kNySWmOdAAHYIYwEt320FX4x0iPkac60BGZvIDDGYew1RVclcq+cztX BL/2W5ml4NSpt5NikQt99N3j+qECa0048qdmXiSnggMgYWJv7ILzsN4PbzASFHLWdiJD cTtfzK6wjeRaScLG6e3uJg2v+/uYgWugfvbP96IJAYzuB16dv/ldYxSdcT4VnvBRV2LY xjPTdJL9RJmS1TtYIcwSaBPuCXdi1UmPmNHadiBAY3BJRu062TDR0Sn4S2/qXCuE247Z xVji2569/cO4XLd9NwEidh4Y4mHw6u85Mj87c+WzuUo9f3Os5yq+3l18WhrYuqTq0ZgD dg==
ARC-Seal i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQE1BgqE2x6NRdl7vqqhxsOQm/L6HE04QXGlGvAd0JApnCO8KfN4OdqtRfE9B6965SRkj/aI1lv4F1zw3irEuKuHDdv9lg+7wYtFw0ztOzrS/mE8+tDSbDGLwi0/rmOkfhm99/qjObfWsIJ6/PlFN1RmuYRqjnVLnT6j6j0SuEXWEgZjSMZVR2FljLhIcRP5PHHcDAnth9W34FETjdh7cKkgsNJafdM1rSYAaMAxR1jr6yJ7B0GQ8wruFAA7FcS+0nIz46dm53aMOx1XT8zO2uTAkxnbaXCMeEq8vvoXQpYcBXTXw+4yTEGuvrmY3Wt3Tt9ab+rqpBI1TAXgxI1VjQ==
ARC-Message-Signature i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FSp9OJdaRpRC0PhFSDe6ffUn27t0P5nOcgIjolr5IQQ=; b=czauKbT9Ncfie/6Nrd36EHFkduqO4OthhYC4Ixc08R07gs3ZjtcnuyhLyoDQNcjx97VSFZxo1JoIvDs9QI2LJf16SBLgWLCBaKsjnGHeYufFT5gGWvwlDeFFuVjH8u4fyKrgJfCHOXjnA3Ne4urGRU3U8lcloGYdrzdHwG27kqxPwCZHeH88NWjSfpcagQRbG9w7hOQbZ63wkPPtiTK3N8LRvWFYcFjmWg2paw510JSJLgj17hQm2eomllieyT7x/TdUCfHBMn20O5JPTHONvGaer9206pt+QAfsmC9UkSCWztZn7net+um3oeH+djwPZ7XV2LpIcZmz58B4uCD+vg==
ARC-Authentication-Results i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FSp9OJdaRpRC0PhFSDe6ffUn27t0P5nOcgIjolr5IQQ=; b=WAUJBky4LCgJWRBmLwCoyim1nNbfDTtkOI7SvwBDcAJmVOTu5TasdxwswRYreKHCa6EealJJReAWnxrEIb2/HiXPpv1sIalwlSiD7JFt8vqVTacTAkrEWR3NMmTYC/3aZSJ4y6p4zNWBOiHRvhNb5tyMKcF821nNqCxCSC1VrtM=
Thread-Topic DoH plugin for BIND
Thread-Index AQHWIKLSJF34oS0rAk6ONKNcDLaJOaiVHGyAgAAS2wCAAAEFgIAEgIYAgAEfhoA=
In-Reply-To <3c35c784bd56115b9b3e07ea33c35e35@nodns4.us>
Accept-Language en-GB, en-US
Content-Language en-GB
X-MS-Has-Attach
X-MS-TNEF-Correlator
user-agent Microsoft-MacOutlook/16.36.20041300
authentication-results lists.isc.org; dkim=none (message not signed) header.d=none; lists.isc.org; dmarc=none action=none header.from=team.neustar;
x-originating-ip [123.100.35.187]
x-ms-publictraffictype Email
x-ms-office365-filtering-correlation-id 599d9f7c-0dda-4c40-12d0-08d7f14c219f
x-ms-traffictypediagnostic BN6PR17MB3185:
x-microsoft-antispam-prvs <BN6PR17MB31850F6BE64A479556F18F239BA70@BN6PR17MB3185.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers OLM:5797;
x-forefront-prvs 0394259C80
x-ms-exchange-senderadcheck 1
x-microsoft-antispam BCL:0;
x-microsoft-antispam-message-info MTVnKEi0Y2yjDy7WCa2ATOtwlQSsKx3ZRcuduqWkfxUl0zKEd3ykgEfX2ZB7mQ0gCCKpkorC4HgBh1jZm3lcWDmo70oQky5Sfppl4XNVC5VdRQ5fJ0Van28nvKW0G9G6VorWzPu8RTlRJsk+NDdqwabFFAix5EtLSqxKYxfudvIMTFTR94FIyy6sehLDxWTuvO8ayY+ulQvs3HRsPhaTFr11WO5q2Oc+58tdGedwudh86znM24qX5OWgOmpXB9m/KiTcxS7fifdXJXD7o5CB/p65B25hc4l4guSm5gcRBuBVhzM9NopBTheWVuNQxfwvRG/CTEVG4EuVbr8CFUlF1K1RQJ6a8dBg3WBAEFcoc2MQ6kLoF0EVOA9fdfOZU+iaZoaOFtawUQPF/UjobQO9LiGKwIuw4ggzBUGs4MrEQme0tDzvLOowI7/l0w75OshOVj5SbcqrBXan3Cn91nbBrCkSSD8YzH4nDeSZnHvoCZk73IEbSV5MSA/523KumVo5eXvz3iZmz10MeyPUqmndfP9WwvTRWTRQQ+UWXD7vXP4/rOv+0lEZ5PHL4MQcMhF6bCXhTqmUsp03i0zvZ7/eQ3SYCwViDVCLPL6iaIVkpjPSYkuRSj/9gGVn1Ya7lo2U
x-forefront-antispam-report CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR17MB3060.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39850400004)(346002)(136003)(396003)(376002)(366004)(33430700001)(186003)(66556008)(66476007)(64756008)(8936002)(66446008)(8676002)(6916009)(316002)(6512007)(26005)(91956017)(66946007)(5660300002)(478600001)(71200400001)(6506007)(53546011)(76116006)(6486002)(2616005)(966005)(33440700001)(3480700007)(2906002)(33656002)(86362001)(46492006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata QjdJtaT4hlYi60jV8V4iG5mbofxdrbGSwV4aUq42GnV0I5PdU2AkzQzWBecKkh58/iDkSHQE8dk6TX5IlQIWpD2XMeG5JY3tqxSpyY+GhjXvyLOq08bNl6B23zaV8IM/XHVaY1MN87PRj50ALZBFGVMcx/cqjLO1fHSvTDtfcjNNQrLVfNQ0F3InZNjOrCOJ72XbSD5TTqWJshKsXv/vnJ7MebvLLrk0rRwMpEwvxFCgjFjqTHC0qL3hZN+yztorWDlCdQ+JUJYqVNz1eRmAB6LsmcuGocVJpkVrsBrSlZVnikWT2dUaGNnHM4PdI0R/xCV+W0BrBsYreiEr+KMgRzDqGziGiCJ4/C1wW06hnGsvD59XK3YB1Of/0xgVOi5s0IZfnmiR+rq9aonFxevEltk8q3fISuIGN9v4sk5sRGmOBZhWUW0Btj9UlZY1RbPIrbiYq9ygPOZK3w0XOkdjUG0RxobKdN0y6lMKHONPEVCEmnMgi9Q4czsKlna7OnDWvoWaWLCkbVMi27nzpfXH9c0fXSRZkK77zZ+3B5a2uqm0EwRmYpIZl0nrc37mHv6WzCSHKdjrvkBRZ0oS5TzF6ptId5K7HA4NB1LuDfLIwFvlPoDnUc/hFNPaa8+r4s9MnMlfHPtg+1O3+ShsHwdhlfNIYK8wVXTXziD6KHciWc3Gnir7HiMCjb/UXl2Vcnd2ueYsw+9ndCN4xj8L1dj80I8YsiEaqWxtPVxx+4R6FG45RIZwZtFvMpJ9danLLcejViCheKIB8oRpm66ztDlE+oWPLlWVGtu9558hX061oSM=
x-ms-exchange-transport-forked True
Content-ID <3118B16C3B96374491A1F19EF1F3860A@namprd17.prod.outlook.com>
X-OriginatorOrg team.neustar
X-MS-Exchange-CrossTenant-Network-Message-Id 599d9f7c-0dda-4c40-12d0-08d7f14c219f
X-MS-Exchange-CrossTenant-originalarrivaltime 05 May 2020 23:29:17.7577 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader Hosted
X-MS-Exchange-CrossTenant-id 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype HOSTED
X-MS-Exchange-CrossTenant-userprincipalname Q6+2PTqPRbYW2Ee1rb/Gbt6jzZHYuYkyF4VBCTuWNFTbuTatVS2GlCn0PBdt0Y6JEn3CkFx7C9iBaMYFcrXT1K19vVLgf0SxSOr4QKPrm+I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped BN6PR17MB3185
X-Proofpoint-Virus-Version vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-05-05_11:2020-05-04, 2020-05-05 signatures=0
X-Proofpoint-Spam-Details rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501 spamscore=0 adultscore=0 clxscore=1015 impostorscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005050175
X-Spam-Status No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere bind-users@lists.isc.org
X-Mailman-Version 2.1.29
Precedence list
List-Id BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive <https://lists.isc.org/pipermail/bind-users/>
List-Post <mailto:bind-users@lists.isc.org>
List-Help <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID <D7610813-3C75-4797-B942-21E7CAC9BA38@team.neustar>
X-Mailman-Original-References <20200502165717.E5F0F18A2F4E@ary.qy> <alpine.LNX.2.22.419.2005022019290.17860@desk.ddns.eckner.net> <d43c05c60b4a5284db47efa2c1247564@nodns4.us> <2c2c9ed1-b657-c14f-ea5f-b5d04f0eaf94@thelounge.net> <3c35c784bd56115b9b3e07ea33c35e35@nodns4.us>
Xref csiph.com comp.protocols.dns.bind:15724

Show key headers only | View raw

On 6/5/20, 02:21, "bind-users on behalf of Chuck Aurora" <bind-users-bounces@lists.isc.org on behalf of ca@nodns4.us> wrote:

    On 2020-05-02 14:35, Reindl Harald wrote:
    > Am 02.05.20 um 21:31 schrieb Chuck Aurora:
    >> On 2020-05-02 13:23, Erich Eckner wrote:
    >>> Will there be client-side DoT/DoH support in bind, too? E.g. will my
    >>> recursive (or forwarding) resolver be able to resolve upstream dns 
    >>> via
    >> 
    >> Well, a recursive resolver cannot use DoT/DoH for iterative queries to
    >> authoritative NS servers, unless authoritative servers offered 
    >> DoT/DoH,
    >> and I don't think that's likely to happen.
    >> 
    >> Basically by deciding you want DoH/DoT upstream, you also have decided
    >> that you want to use forwarders.
    > 
    > says who?
    > 
    > https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians__;!!N14HnBHF!v42jWsqHVYR66-kDn-I36X0gH8si5RaYdK5EtC2sj_oJv97ch7idccKrJ34oSLUxu9D8ZKU$ 

    Thanks for the reply, but FWIW, I don't have a clue what point you
    intended to make?  I looked at that CIRA page twice, and it is simply
    a DoH/DoT forwarder.  Absolutely nothing in that release mentions any
    change in DNS protocol.

    DoH/DoT covers only one hop: the end user to the recursive resolver.
    Beyond that one hop is good old-fashioned unencrypted DNS.  By using
    DoH/DoT, whether in your own stub resolver or in a [future] BIND, you
    are using that DoH/DoT server as your forwarder.

From all the reading I've done, DoT/DoH is about each individual hop. You control your hop. Beyond you, it's anonymized anyway as a batch/bunch of requests from a recursing resolver. The CIRA service is just inserting themselves as the recursing resolver (even if they implement that via an "app").

SMTP encryption is the same. You can control your hop; what anybody beyond you does is out of your control.

Stuart

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

Re: DoH plugin for BIND "Browne, Stuart" <Stuart.Browne@team.neustar> - 2020-05-05 23:29 +0000

csiph-web