Re: DoH plugin for BIND

Tue, 05 May 2020 16:30:37 -0700 

On 6/5/20, 02:21, "bind-users on behalf of Chuck Aurora" 
<[email protected] on behalf of [email protected]> wrote:

    On 2020-05-02 14:35, Reindl Harald wrote:
    > Am 02.05.20 um 21:31 schrieb Chuck Aurora:
    >> On 2020-05-02 13:23, Erich Eckner wrote:
    >>> Will there be client-side DoT/DoH support in bind, too? E.g. will my
    >>> recursive (or forwarding) resolver be able to resolve upstream dns 
    >>> via
    >> 
    >> Well, a recursive resolver cannot use DoT/DoH for iterative queries to
    >> authoritative NS servers, unless authoritative servers offered 
    >> DoT/DoH,
    >> and I don't think that's likely to happen.
    >> 
    >> Basically by deciding you want DoH/DoT upstream, you also have decided
    >> that you want to use forwarders.
    > 
    > says who?
    > 
    > 
https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians__;!!N14HnBHF!v42jWsqHVYR66-kDn-I36X0gH8si5RaYdK5EtC2sj_oJv97ch7idccKrJ34oSLUxu9D8ZKU$
 

    Thanks for the reply, but FWIW, I don't have a clue what point you
    intended to make?  I looked at that CIRA page twice, and it is simply
    a DoH/DoT forwarder.  Absolutely nothing in that release mentions any
    change in DNS protocol.

    DoH/DoT covers only one hop: the end user to the recursive resolver.
    Beyond that one hop is good old-fashioned unencrypted DNS.  By using
    DoH/DoT, whether in your own stub resolver or in a [future] BIND, you
    are using that DoH/DoT server as your forwarder.

>From all the reading I've done, DoT/DoH is about each individual hop. You 
>control your hop. Beyond you, it's anonymized anyway as a batch/bunch of 
>requests from a recursing resolver. The CIRA service is just inserting 
>themselves as the recursing resolver (even if they implement that via an 
>"app").

SMTP encryption is the same. You can control your hop; what anybody beyond you 
does is out of your control.

Stuart

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to