On 2020-05-02 13:23, Erich Eckner wrote:
Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive (or forwarding) resolver be able to resolve upstream dns via
Well, a recursive resolver cannot use DoT/DoH for iterative queries to authoritative NS servers, unless authoritative servers offered DoT/DoH, and I don't think that's likely to happen. Basically by deciding you want DoH/DoT upstream, you also have decided that you want to use forwarders. I can't speak for ISC about their DoT/DoH intentions, but I would expect they'll do it both as server and as client (of a forwarder.) Note that DoT/DoH typically only encrypts the enduser-to-resolver hop, beyond which it's just standard unencrypted DNS. Of course named as DoT/DoH client could encrypt the hop to a forwarder, but again, just standard DNS is used beyond that point.
those? I don't see, how I could use a reverse proxy or stunnel to achieve this, currently (assuming, the authoritative dns server supports DoT and/or DoH, of course),
If this is so, there's still, to my knowledge, no protocol for it. How would a nameserver know which NS hosts to send DoH/DoT queries to? DNS needs to be fast, and DoH/DoT upstream could create very significant lag.
because I would need one stunnel per upstream dns server which I do not know in advance - right?
Right. I guess the DoH/DoT thing came about as a means of dealing with (or bypassing) nosy and greedy and dishonest ISPs. But then you're giving all your queries to an upstream forwarder. Are you sure they are more trustworthy? :) What I wonder, at the possible cost of thread hijacking (sorry!) is, are any ISPs actively sniffing their customers iterative queries? It certainly is possible, but I expect it would be too much work. I do know that an ISP of which I was formerly (!) a customer would sometimes redirect my DNS traffic to their own recursive resolvers. Since I was running my own nameserver all I could get during those times were tons of "lame server" logs and DNSSEC failures. If this is the case for you, I'd suggest doing as I did: vote with your feet; give your money to a better ISP. If your home/office network is secure from hostile users which can sniff traffic, DoH/DoT offers you nothing at all on that hop. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users