Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.protocols.dns.bind > #15716 > unrolled thread

Re: DoH plugin for BIND

Started byChuck Aurora <ca@nodns4.us>
First post2020-05-02 14:31 -0500
Last post2020-05-02 14:31 -0500
Articles 1 — 1 participant

Back to article view | Back to comp.protocols.dns.bind

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: DoH plugin for BIND Chuck Aurora <ca@nodns4.us> - 2020-05-02 14:31 -0500

#15716 — Re: DoH plugin for BIND

FromChuck Aurora <ca@nodns4.us>
Date2020-05-02 14:31 -0500
SubjectRe: DoH plugin for BIND
Message-ID<mailman.340.1588447885.942.bind-users@lists.isc.org>
On 2020-05-02 13:23, Erich Eckner wrote:
> Will there be client-side DoT/DoH support in bind, too? E.g. will my
> recursive (or forwarding) resolver be able to resolve upstream dns via

Well, a recursive resolver cannot use DoT/DoH for iterative queries to
authoritative NS servers, unless authoritative servers offered DoT/DoH,
and I don't think that's likely to happen.

Basically by deciding you want DoH/DoT upstream, you also have decided
that you want to use forwarders.

I can't speak for ISC about their DoT/DoH intentions, but I would
expect they'll do it both as server and as client (of a forwarder.)

Note that DoT/DoH typically only encrypts the enduser-to-resolver hop,
beyond which it's just standard unencrypted DNS.  Of course named as
DoT/DoH client could encrypt the hop to a forwarder, but again, just
standard DNS is used beyond that point.

> those? I don't see, how I could use a reverse proxy or stunnel to
> achieve this, currently (assuming, the authoritative dns server
> supports DoT and/or DoH, of course),

If this is so, there's still, to my knowledge, no protocol for it.
How would a nameserver know which NS hosts to send DoH/DoT queries
to?  DNS needs to be fast, and DoH/DoT upstream could create very
significant lag.

> because I would need one stunnel
> per upstream dns server which I do not know in advance - right?

Right.

I guess the DoH/DoT thing came about as a means of dealing with (or
bypassing) nosy and greedy and dishonest ISPs.  But then you're giving
all your queries to an upstream forwarder.  Are you sure they are
more trustworthy? :)

What I wonder, at the possible cost of thread hijacking (sorry!) is,
are any ISPs actively sniffing their customers iterative queries?  It
certainly is possible, but I expect it would be too much work.

I do know that an ISP of which I was formerly (!) a customer would
sometimes redirect my DNS traffic to their own recursive resolvers.
Since I was running my own nameserver all I could get during those
times were tons of "lame server" logs and DNSSEC failures.

If this is the case for you, I'd suggest doing as I did: vote with
your feet; give your money to a better ISP.

If your home/office network is secure from hostile users which can
sniff traffic, DoH/DoT offers you nothing at all on that hop.

[toc] | [standalone]

Back to top | Article view | comp.protocols.dns.bind

csiph-web