Bind and HTTPS?
Is it possible to setup bind to use DOH (FNS over HTTPS) rather than unencrypted DNS lookups? Our in addition to? -- 'An appointment is an engagement to see someone, while a morningstar is a large lump of metal used for viciously crushing skulls. It is important not to confuse the two.’ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
@lbutlr wrote: > Is it possible to setup bind to use DOH (FNS over HTTPS) rather than > unencrypted DNS lookups? Our in addition to? To give DoH access to clients you need a proxy such as dnsdist or doh101. https://dotat.at/cgi/git/doh101.git https://dnsprivacy.org/wiki/display/DP/Using+dnsdist+for+DoT+and+DoH Encrypted DNS between resolvers and authoritative servers is still in the process of being standardized. Tony. -- f.anthony.n.finchhttp://dotat.at/ Southeast Iceland: Easterly or northeasterly, veering southeasterly, 2 to 4, occasionally 5 near iceland. Slight or moderate. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 11/7/2019 13:39, Tony Finch wrote: Encrypted DNS between resolvers and authoritative servers is still in the process of being standardized. It sounds like too much overhead already. Why would you want something like that? Isn't DNSSEC enough to assure integrity? Lefteris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 11/7/2019 13:39, Tony Finch wrote: Encrypted DNS between resolvers and authoritative servers is still in the process of being standardized. On 11.07.19 15:21, Lefteris Tsintjelis via bind-users wrote: It sounds like too much overhead already. Why would you want something like that? Isn't DNSSEC enough to assure integrity? and, how shall we resolve names of those HTTPS servers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
Lefteris Tsintjelis via bind-users wrote: > > Why would you want something like that? https://datatracker.ietf.org/wg/dprive/about/ Tony. -- f.anthony.n.finchhttp://dotat.at/ Great Orme Head to the Mull of Galloway: Southwesterly 3 to 5, veering northwesterly 4 or 5, occasionally 6 later in north. Smooth or slight. Occasional rain or drizzle. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 11/7/2019 15:35, Tony Finch wrote: Lefteris Tsintjelis via bind-users wrote: Why would you want something like that? https://datatracker.ietf.org/wg/dprive/about/ If you are willing to sacrifice speed. DNS responses have a pretty big impact in browsing speed but I guess anyone choosing privacy through encryption over speed, must have a good reason to do so and I am sure already knows that. Lefteris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users wrote: > On 11/7/2019 15:35, Tony Finch wrote: >> Lefteris Tsintjelis via bind-users wrote: >>> >>> Why would you want something like that? >> https://datatracker.ietf.org/wg/dprive/about/ > > If you are willing to sacrifice speed. Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS. -- "...and that's not incense” ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 11/7/2019 22:56, @lbutlr wrote: On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users wrote: On 11/7/2019 15:35, Tony Finch wrote: Lefteris Tsintjelis via bind-users wrote: Why would you want something like that? https://datatracker.ietf.org/wg/dprive/about/ If you are willing to sacrifice speed. Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS. Doesn't the packet size have any impact at all just by itself, excluding packet encryption/decryption times? For me the difference was quite noticeable when I first enabled DNSSEC, specially when I first tested it with SHA256/512. Packets would easily exceed fragmentation limits and that alone is just by using DNSSEC only! I don't know what the impact of DOH would be on the packet size, but I am pretty sure it would be even worst combined with DNSSEC, would it not? Lefteris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
> On 12 Jul 2019, at 8:54 am, Lefteris Tsintjelis via bind-users > wrote: > > On 11/7/2019 22:56, @lbutlr wrote: >> On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users >> wrote: >>> On 11/7/2019 15:35, Tony Finch wrote: Lefteris Tsintjelis via bind-users wrote: > > Why would you want something like that? https://datatracker.ietf.org/wg/dprive/about/ >>> >>> If you are willing to sacrifice speed. >> Not really. Using DOH servers now doesn’t have any noticeable impact on >> speed of DNS. > > Doesn't the packet size have any impact at all just by itself, excluding > packet encryption/decryption times? For me the difference was quite > noticeable when I first enabled DNSSEC, specially when I first tested it with > SHA256/512. Packets would easily exceed fragmentation limits and that alone > is just by using DNSSEC only! I don't know what the impact of DOH would be on > the packet size, but I am pretty sure it would be even worst combined with > DNSSEC, would it not? Having fragmented packets doesn’t slow down DNS noticeably as long as your firewall allows them through. Having to perform PMTUD does however and this applies to both UDP and TCP. > Lefteris > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On 12/7/2019 2:42, Mark Andrews wrote: On 12 Jul 2019, at 8:54 am, Lefteris Tsintjelis via bind-users wrote: On 11/7/2019 22:56, @lbutlr wrote: On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users wrote: On 11/7/2019 15:35, Tony Finch wrote: Lefteris Tsintjelis via bind-users wrote: Why would you want something like that? https://datatracker.ietf.org/wg/dprive/about/ If you are willing to sacrifice speed. Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS. Doesn't the packet size have any impact at all just by itself, excluding packet encryption/decryption times? For me the difference was quite noticeable when I first enabled DNSSEC, specially when I first tested it with SHA256/512. Packets would easily exceed fragmentation limits and that alone is just by using DNSSEC only! I don't know what the impact of DOH would be on the packet size, but I am pretty sure it would be even worst combined with DNSSEC, would it not? Having fragmented packets doesn’t slow down DNS noticeably as long as your firewall allows them through. Having to perform PMTUD does however and this applies to both UDP and TCP. I believe most modern firewalls allow them now days and the speeds are pretty huge for such packets so I guess fragmentation by itself may not be as noticeable, but everything all together adds up, and I mean including DNSSEC and DOH overhead. Yes, PMTUD applies to both of course and this is the biggest delay of all. Perhaps it would help if the default packet size of 4000 changed to a lower value such as 1200-1300 and use ECDSAP256SHA256 as defaults? In any case, for me, changing those two things made quite a noticeable response difference and it was not small. Lefteris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On Fri, 12 Jul 2019, Lefteris Tsintjelis via bind-users wrote: I believe most modern firewalls allow them now days and the speeds are pretty huge for such packets so I guess fragmentation by itself may not be as noticeable, but everything all together adds up, and I mean including DNSSEC and DOH overhead. Really? What about ads? What I mean is if people are so concerned about "happy eyeballs", why are so many of those people somehow involved with the infrastructure creating the problem? -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users