Re: DoH plugin for BIND
On Wed, Apr 29, 2020 at 08:06:20PM +0200, Michael De Roover wrote: > On that subject, how about DoT? I have mixed feelings about using 443 as a > kitchen sink port but encrypting DNS seems like a good idea. Native support by the end of the year, same as DoH. Also, there's a sample configuration for an nginx proxy in the BIND source tree under contrib/dnspriv that you can use now, if you wish. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Michael De Roover wrote: > On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on your normal DNS resolvers then Android devices will use it automatically. (I get a lot more DoT traffic than DoH traffic!) So it's worth tuning timeouts to control the number of concurrent TLS and TCP sessions on your server. Android's DoT client is very well-behaved so the server-side configuration knobs work nicely. Use BIND 9.11 or newer so you can support concurrent queries on one connection. As well as the nginx timeouts you can see at the link above, my named.conf has: tcp-clients 1234; tcp-idle-timeout 50; # 5 seconds tcp-initial-timeout 25; # 2.5s minimum permitted tcp-keepalive-timeout 50; # 5 seconds tcp-advertised-timeout 50; # 5 seconds The timeouts are short because they don't need to allow for much slowness on our metropolitan-area fibre network. 5 seconds is based on my rough eyeball assessment of when typical DoT connections are unlikely to be re-used. The number of TCP clients is a guess. Tony. -- f.anthony.n.finchhttp://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
> On Apr 29, 2020, at 11:06 AM, Michael De Roover wrote: > > On that subject, how about DoT? I have mixed feelings about using 443 as a > kitchen sink port but encrypting DNS seems like a good idea. We are planning to have DoT on the same timeline as DOH, so nobody has to choose one or the other based on availability. > > On 4/29/20 9:40 AM, Evan Hunt wrote: >>> Does BIND have a DoH plugin official? >>> Or is there any guide to customize that one? >> Not yet, but we plan to have a DoH implementation in named by the end of >> this year. >> >> In the meantime, there are DoH proxies that can run BIND as the back-end. >> > -- > Met vriendelijke groet / Best regards, > Michael De Roover > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Victoria Risk Product Manager Internet Systems Consortium vi...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On that subject, how about DoT? I have mixed feelings about using 443 as a kitchen sink port but encrypting DNS seems like a good idea. On 4/29/20 9:40 AM, Evan Hunt wrote: Does BIND have a DoH plugin official? Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Walter Peng wrote: > > Does BIND have a DoH plugin official? > Or is there any guide to customize that one? You'll need to run a DoH proxy in front of BIND, for example https://dnsdist.org/ - my DoH service uses https://dotat.at/cgi/git/doh101.git Tony. -- f.anthony.n.finchhttp://dotat.at/ Fitzroy: West or southwest 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, occasionally high in north. Rain or thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to define a name with an empty RRset?
On Wed, Apr 29, 2020 at 5:23 AM Alessandro Vesely wrote: > Hi all, > > the doc says each node has a set of resource information, which may be > empty. > But how do I create such a node? If I just write, say: > > an-emty-name.example.com. > I believe that's a reference to empty non-terminals. If you created, for instance, an record for new-server.an-empty-name.example.com in the example.com zone and there were no entries specifically for an-empty-name.example.com, the node an-empty-name.example.com would exist in DNS, because it's part of the resource record, new-server.an-empty-name.example.com, but would have no resource records associated with it. So a query for any resource record type for the name an-empty-name.example.com would return a NOERROR response with 0 answers. HTH, Scott ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to define a name with an empty RRset?
Great! Thank you Ondrej Ale On 29/04/2020 12:26, Ondřej Surý wrote: > Hi, > > to create a empty non-terminal (ENT) you should do: > > non-empty.an-empty-name.example.com. IN TXT > > Ondrej > -- > Ondřej Surý > ond...@isc.org > >> On 29 Apr 2020, at 12:22, Alessandro Vesely wrote: >> >> Hi all, >> >> the doc says each node has a set of resource information, which may be empty. >> But how do I create such a node? If I just write, say: >> >>an-emty-name.example.com. >> >> named-checkzone complains about unexpected end of input. >> >> NULL is not usable in master files. For the time being, I try: >> >>an-emty-name.example.com. IN RP . . >> >> However, querying ANY reveals that the name is not actually empty. >> >> Is there a specific syntax to create an empty name? >> >> >> Best >> Ale >> -- >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to define a name with an empty RRset?
Hi, to create a empty non-terminal (ENT) you should do: non-empty.an-empty-name.example.com. IN TXT Ondrej -- Ondřej Surý ond...@isc.org > On 29 Apr 2020, at 12:22, Alessandro Vesely wrote: > > Hi all, > > the doc says each node has a set of resource information, which may be empty. > But how do I create such a node? If I just write, say: > >an-emty-name.example.com. > > named-checkzone complains about unexpected end of input. > > NULL is not usable in master files. For the time being, I try: > >an-emty-name.example.com. IN RP . . > > However, querying ANY reveals that the name is not actually empty. > > Is there a specific syntax to create an empty name? > > > Best > Ale > -- > > > > > > > > > > > > > > > > > > > > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to define a name with an empty RRset?
Hi all, the doc says each node has a set of resource information, which may be empty. But how do I create such a node? If I just write, say: an-emty-name.example.com. named-checkzone complains about unexpected end of input. NULL is not usable in master files. For the time being, I try: an-emty-name.example.com. IN RP . . However, querying ANY reveals that the name is not actually empty. Is there a specific syntax to create an empty name? Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
> Does BIND have a DoH plugin official? > Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
