Re: DoH plugin for BIND
On 6/5/20, 02:21, "bind-users on behalf of Chuck Aurora" wrote: On 2020-05-02 14:35, Reindl Harald wrote: > Am 02.05.20 um 21:31 schrieb Chuck Aurora: >> On 2020-05-02 13:23, Erich Eckner wrote: >>> Will there be client-side DoT/DoH support in bind, too? E.g. will my >>> recursive (or forwarding) resolver be able to resolve upstream dns >>> via >> >> Well, a recursive resolver cannot use DoT/DoH for iterative queries to >> authoritative NS servers, unless authoritative servers offered >> DoT/DoH, >> and I don't think that's likely to happen. >> >> Basically by deciding you want DoH/DoT upstream, you also have decided >> that you want to use forwarders. > > says who? > > https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians__;!!N14HnBHF!v42jWsqHVYR66-kDn-I36X0gH8si5RaYdK5EtC2sj_oJv97ch7idccKrJ34oSLUxu9D8ZKU$ Thanks for the reply, but FWIW, I don't have a clue what point you intended to make? I looked at that CIRA page twice, and it is simply a DoH/DoT forwarder. Absolutely nothing in that release mentions any change in DNS protocol. DoH/DoT covers only one hop: the end user to the recursive resolver. Beyond that one hop is good old-fashioned unencrypted DNS. By using DoH/DoT, whether in your own stub resolver or in a [future] BIND, you are using that DoH/DoT server as your forwarder. >From all the reading I've done, DoT/DoH is about each individual hop. You >control your hop. Beyond you, it's anonymized anyway as a batch/bunch of >requests from a recursing resolver. The CIRA service is just inserting >themselves as the recursing resolver (even if they implement that via an >"app"). SMTP encryption is the same. You can control your hop; what anybody beyond you does is out of your control. Stuart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 2020-05-02 14:35, Reindl Harald wrote: Am 02.05.20 um 21:31 schrieb Chuck Aurora: On 2020-05-02 13:23, Erich Eckner wrote: Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive (or forwarding) resolver be able to resolve upstream dns via Well, a recursive resolver cannot use DoT/DoH for iterative queries to authoritative NS servers, unless authoritative servers offered DoT/DoH, and I don't think that's likely to happen. Basically by deciding you want DoH/DoT upstream, you also have decided that you want to use forwarders. says who? https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians Thanks for the reply, but FWIW, I don't have a clue what point you intended to make? I looked at that CIRA page twice, and it is simply a DoH/DoT forwarder. Absolutely nothing in that release mentions any change in DNS protocol. DoH/DoT covers only one hop: the end user to the recursive resolver. Beyond that one hop is good old-fashioned unencrypted DNS. By using DoH/DoT, whether in your own stub resolver or in a [future] BIND, you are using that DoH/DoT server as your forwarder. (Harald, please feel free to ignore Reply-To if you are unable to post to the list. Thanks.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Erich Eckner wrote: > > Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive > (or forwarding) resolver be able to resolve upstream dns via those? At the moment the specifications are not yet done for encrypted DNS between recursive and authoritative servers. It's very difficult to signal in a DNS delegation that an authoritative server supports encryption, in a way that is reasonably fast and secure. And it's even harder to make changes to EPP, or to persuade registrars to support anything new. Tony. -- f.anthony.n.finchhttp://dotat.at/ North Fitzroy, Sole: Easterly 6 to gale 8, occasionally severe gale 9 in Sole, becoming cyclonic 4 to 6. Moderate or rough, occasionally very rough in Sole. Rain or thundery showers, fog patches. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Dont flatter yourself troll, I've always been active on a number of lists, but as I do have a life, I may not comment on every single thread on every list. Like I told you before stop being a f'wit and i'll have no reason to warn anyone of how caustic you will get towards them, and we'll also have no reason to list your netblock on RBL no need to reply, just let it sink in, but since its failed to in over 5 years, i dont expect miracles. On 03/05/2020 15:13, Reindl Harald wrote: > Am 03.05.20 um 01:42 schrieb Noel Butler: > >> Dont waste your time trying to argue with that troll > > given that you *never* had to say anything useful on *any* mailing list > and only creep out of your hole when you hear my name to fire your > personal vendetta what about stay in your hole? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 03.05.20 um 01:42 schrieb Noel Butler: > Dont waste your time trying to argue with that troll given that you *never* had to say anything useful on *any* mailing list and only creep out of your hole when you hear my name to fire your personal vendetta what about stay in your hole? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 03-05-2020 01.59, Noel Butler wrote: > > On 03/05/2020 02:17, Sten Carlsen wrote: > >> About mail servers from residential IPs. I have done that for a >> number of years, very rarely any issue. >> > > Most SP's do this > > >> The major problem was that at one time MS required a reverse lookup >> for the actual mail server name. > > Many SP's still do this, some take it the extra mile and block > anything with things like cpe/dsl/cable/hfc/dyn/ppp... etc > in the hostname, we still do it, have done for over 20 years and seen > no collateral damage. > >> . >> In my part of the world it is very bad taste for an ISP to block >> anything, its not their business. >> >> > > Ordinarily, I agree, but the overall security and protection of the > network must come first, the protection of teh majority must come > first. Then there's the law, in Australia we are required as part of > the outcome of the iinet V hollywood, to block pirate sites, 99% do > this by DNS, the Federal court accepts this method, the Federal court > knows it can be avoided by most 8yos in under 10 seconds, its the > sweet spot everybody agreed to so they approved it. > > There are also other laws that require its use as well. That said we > dont block any ports and have no intention of. > > > That said, DoH is fairly pointless here because there is no > requirement to log DNS queries, most of us have far better things to > do than to know who's going where, none that I know do it, though > there is a question of Telstra mobile > > lets face it, if we really want to know whos going where, netflow > tells us a whole lot more anyway > I agree, if you really want to be anonymous the only way I know is TOR. Maybe there should be a way to get DNS through TOR? > > > > -- > > Kind Regards, > > Noel Butler > > This Email, including attachments, may contain legally privileged > information, therefore remains confidential and subject to copyright > protected under international law. You may not disseminate any part of > this message without the authors express written authority to do so. > If you are not the intended recipient, please notify the sender then > delete all copies of this message including attachments immediately. > Confidentiality, copyright, and legal privilege are not waived or lost > by reason of the mistaken delivery of this message. > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 03/05/2020 02:17, Sten Carlsen wrote: > About mail servers from residential IPs. I have done that for a number of > years, very rarely any issue. Most SP's do this > The major problem was that at one time MS required a reverse lookup for the > actual mail server name. Many SP's still do this, some take it the extra mile and block anything with things like cpe/dsl/cable/hfc/dyn/ppp... etc in the hostname, we still do it, have done for over 20 years and seen no collateral damage. > . > In my part of the world it is very bad taste for an ISP to block anything, > its not their business. Ordinarily, I agree, but the overall security and protection of the network must come first, the protection of teh majority must come first. Then there's the law, in Australia we are required as part of the outcome of the iinet V hollywood, to block pirate sites, 99% do this by DNS, the Federal court accepts this method, the Federal court knows it can be avoided by most 8yos in under 10 seconds, its the sweet spot everybody agreed to so they approved it. There are also other laws that require its use as well. That said we dont block any ports and have no intention of. That said, DoH is fairly pointless here because there is no requirement to log DNS queries, most of us have far better things to do than to know who's going where, none that I know do it, though there is a question of Telstra mobile lets face it, if we really want to know whos going where, netflow tells us a whole lot more anyway -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Dont waste your time trying to argue with that troll google his name, he's well banned on many lists, he was moderated on this list as well, seems he's changed his user@ to get around it. He's been quiet for a while thought he learned his lesson, but leopards never change their spots. On 03/05/2020 01:11, Michael De Roover wrote: > I'm sure that most of the list members here are aware of how net neutrality > and the internet in general works - we're internet operators after all. What > we're here for is ports and protocols, not policy or internet culture. On > that subject, we are not policy makers. Let's leave that to politicians who > studied for it. Vote some technical people in government while we're at it, > but I digress. > > The DoT/DoH argument or what a mail server could be operated from is not one > of policy.. well maybe mail servers are, to some extent. Perhaps there's some > ISP employees here too. Those are in power to allow or disallow things on > their network. But DoT/DoH certainly isn't. What are we supposed to worry > about? How do we implement this new encrypted DNS. Do we piggyback off an > existing port and rely on its ubiquitous allowance on the internet or do we > create a new port for it, where we can make a dedicated new protocol suite? > > On 5/2/20 5:03 PM, Reindl Harald wrote: -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 02.05.20 um 21:31 schrieb Chuck Aurora: > On 2020-05-02 13:23, Erich Eckner wrote: >> Will there be client-side DoT/DoH support in bind, too? E.g. will my >> recursive (or forwarding) resolver be able to resolve upstream dns via > > Well, a recursive resolver cannot use DoT/DoH for iterative queries to > authoritative NS servers, unless authoritative servers offered DoT/DoH, > and I don't think that's likely to happen. > > Basically by deciding you want DoH/DoT upstream, you also have decided > that you want to use forwarders. says who? https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 2020-05-02 13:23, Erich Eckner wrote: Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive (or forwarding) resolver be able to resolve upstream dns via Well, a recursive resolver cannot use DoT/DoH for iterative queries to authoritative NS servers, unless authoritative servers offered DoT/DoH, and I don't think that's likely to happen. Basically by deciding you want DoH/DoT upstream, you also have decided that you want to use forwarders. I can't speak for ISC about their DoT/DoH intentions, but I would expect they'll do it both as server and as client (of a forwarder.) Note that DoT/DoH typically only encrypts the enduser-to-resolver hop, beyond which it's just standard unencrypted DNS. Of course named as DoT/DoH client could encrypt the hop to a forwarder, but again, just standard DNS is used beyond that point. those? I don't see, how I could use a reverse proxy or stunnel to achieve this, currently (assuming, the authoritative dns server supports DoT and/or DoH, of course), If this is so, there's still, to my knowledge, no protocol for it. How would a nameserver know which NS hosts to send DoH/DoT queries to? DNS needs to be fast, and DoH/DoT upstream could create very significant lag. because I would need one stunnel per upstream dns server which I do not know in advance - right? Right. I guess the DoH/DoT thing came about as a means of dealing with (or bypassing) nosy and greedy and dishonest ISPs. But then you're giving all your queries to an upstream forwarder. Are you sure they are more trustworthy? :) What I wonder, at the possible cost of thread hijacking (sorry!) is, are any ISPs actively sniffing their customers iterative queries? It certainly is possible, but I expect it would be too much work. I do know that an ISP of which I was formerly (!) a customer would sometimes redirect my DNS traffic to their own recursive resolvers. Since I was running my own nameserver all I could get during those times were tons of "lame server" logs and DNSSEC failures. If this is the case for you, I'd suggest doing as I did: vote with your feet; give your money to a better ISP. If your home/office network is secure from hostile users which can sniff traffic, DoH/DoT offers you nothing at all on that hop. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 2020-05-02 11:32, Michael De Roover wrote: Interesting, I wasn't aware of that. Until now I subscribed to the whole business-only IP idea the whole time. I never thought that ISP's or other mail servers would allow this (though granted, mine doesn't discriminate either). Meanwhile Microsoft still blocks one of my sender IP's (e3.nixmagic.com which was the last one to enter the set of edge servers). Maybe phasing out my edge servers wouldn't be a bad [ Reply-To: set because we're veering even further off topic ] You might be surprised to hear this, but it's worth your time to talk to Microsoft about that. I have found numerous times over several years that Microsoft's postmaster desk is staffed by real humans who respond in a timely manner, and better yet: they seem to be truly interested in helping their users communicate via email. idea then, at least in the long run. My ISP doesn't change the IP address for my residential connection as long as I don't reboot my router anyway. Assuming that I check whether my ISP allows 25 in- and outbound first, that could work. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I assume, the (on-topic) discussion so far was about the serving part of bind. (Correct me, if I'm wrong) Will there be client-side DoT/DoH support in bind, too? E.g. will my recursive (or forwarding) resolver be able to resolve upstream dns via those? I don't see, how I could use a reverse proxy or stunnel to achieve this, currently (assuming, the authoritative dns server supports DoT and/or DoH, of course), because I would need one stunnel per upstream dns server which I do not know in advance - right? regards, Erich On Sat, 2 May 2020, John Levine wrote: In article you write: On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it ... My residential-class static IP mail server has never had problems delivering mail. I've checked it many times over the years on many blacklist checkers and never had anything but green lights. Your ISP is quite unusual. Count your blessings. The large cable providers in the US and Canada block outgoing port 25 on residential networks. To whoever said that MUAs still default to port 25 submission, you must use different MUAs from the rest of us. All the ones I use default to 587 and 465. R's, John PS: What deoes this have to do with BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6tusEACgkQCu7JB1Xa e1pbzw//UuwXI4N3++MssIej6JUnC5BkoQnAfQv3ZyLJRDsQywKsP3Q1nZ/aTDlZ TfbZ7HHSceQXRtlpGJyLflXNt1tnTOWwXV/KmT1Cgk7z2s8lRAP8OZm7qEO7rN1f c4KIVJwbbIpThcCm8HgWrfKgk56wjqRpu9iv9gS713dtcbL/zcSOMRLLdWBsFnFz uJaRBA8fOpZmrjp5Mmei25XOzrJ+zwJsJUxmYcefzsa5A1f709wls20T5TN2It+W bM+fJJ1DboWB8xiIyY26+xkwD3zqI8l8v284n6Da9c3PyZkyTdivxI3nsZbpqal/ dzw4f0vKPGfd9wKl8VJx00i+awtDaay+cgEvd3g/qTPC894Ygs+MfiONQ/gGiaQu E+ztbUulEv/ZidOBhJVakfNY5GVOjaNvreZmRWqudaTNAmNwSVuYgxnf+5eTXiy3 VJoW+edhNw5b6YQvyQEKZCNx8eTimd5SQZ9poEqum9Enldb9+QopwmbWsneK+pMH ydMgCrdcnYPliXwf86PzLZ+YYaWplq1xcwOA9JrdzltENRFiQCSqlK4uwt1zo0X8 MNvtAlkjxxx0NOV/54OdKnjk7Wm3TxTAHFKA9bNtsgn25iZ+BL/+ENKSbZIPVXXk u7n5yAVBtQciCxcmGSpOua+EmbLjFbZY5Xp5AEWWoWYIvDNLWOw= =EENM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
In article you write: >On Sat, 2 May 2020, Michael De Roover wrote: > >> Even if your ISP allows it, chances are that other mail servers will >> reject it ... >My residential-class static IP mail server has never had problems >delivering mail. I've checked it many times over the years on many >blacklist checkers and never had anything but green lights. Your ISP is quite unusual. Count your blessings. The large cable providers in the US and Canada block outgoing port 25 on residential networks. To whoever said that MUAs still default to port 25 submission, you must use different MUAs from the rest of us. All the ones I use default to 587 and 465. R's, John PS: What deoes this have to do with BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Interesting, I wasn't aware of that. Until now I subscribed to the whole business-only IP idea the whole time. I never thought that ISP's or other mail servers would allow this (though granted, mine doesn't discriminate either). Meanwhile Microsoft still blocks one of my sender IP's (e3.nixmagic.com which was the last one to enter the set of edge servers). Maybe phasing out my edge servers wouldn't be a bad idea then, at least in the long run. My ISP doesn't change the IP address for my residential connection as long as I don't reboot my router anyway. Assuming that I check whether my ISP allows 25 in- and outbound first, that could work. On 5/2/20 6:25 PM, Brett Delmage wrote: On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it Nope, not always. My residential-class static IP mail server has never had problems delivering mail. I've checked it many times over the years on many blacklist checkers and never had anything but green lights. Of course I have met all the email best practices for years: SPF, DKIM, reverse pointer, etc. Even though email is not secure, I still feel better knowing that emails end up in MY server via opportunistic TLS transport. and not in some Yahoo's or surveillance capitalist's data store. Underlying all this are my own DNSSEC-enabled BIND servers, of course. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it Nope, not always. My residential-class static IP mail server has never had problems delivering mail. I've checked it many times over the years on many blacklist checkers and never had anything but green lights. Of course I have met all the email best practices for years: SPF, DKIM, reverse pointer, etc. Even though email is not secure, I still feel better knowing that emails end up in MY server via opportunistic TLS transport. and not in some Yahoo's or surveillance capitalist's data store. Underlying all this are my own DNSSEC-enabled BIND servers, of course. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
About mail servers from residential IPs. I have done that for a number of years, very rarely any issue. The major problem was that at one time MS required a reverse lookup for the actual mail server name. That was then fixed by the ISP and all works again. In my part of the world it is very bad taste for an ISP to block anything, its not their business. -- Best regards Sten Carlsen For every problem, there is a solution that is simple, elegant, and wrong. HL Mencken > On 2 May 2020, at 17.11, Michael De Roover wrote: > > I'm sure that most of the list members here are aware of how net neutrality > and the internet in general works - we're internet operators after all. What > we're here for is ports and protocols, not policy or internet culture. On > that subject, we are not policy makers. Let's leave that to politicians who > studied for it. Vote some technical people in government while we're at it, > but I digress. > > The DoT/DoH argument or what a mail server could be operated from is not one > of policy.. well maybe mail servers are, to some extent. Perhaps there's some > ISP employees here too. Those are in power to allow or disallow things on > their network. But DoT/DoH certainly isn't. What are we supposed to worry > about? How do we implement this new encrypted DNS. Do we piggyback off an > existing port and rely on its ubiquitous allowance on the internet or do we > create a new port for it, where we can make a dedicated new protocol suite? > > On 5/2/20 5:03 PM, Reindl Harald wrote: >> >> Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users: >>> I wasn't complaining about port 25, I was just citing it as a >>> counterexample to the claim that ISPs "must" pass all traffic. >> https://en.wikipedia.org/wiki/Net_neutrality >> >>> I think that most ISPs tell customers how to set up their email clients >>> (NUAs) including what port to use. Of course it seems that now most >>> people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity) >>> so they never see port numbers. >>> >>> >>> On Sat, 2 May 2020 15:51:58 +0200 >>> Reindl Harald wrote: >>> Am 02.05.20 um 15:41 schrieb Michael De Roover: > In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" > Even if your ISP allows it, chances are that other mail servers will > reject it that's a completl different story > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: >> How many ISPs allow traffic on port 25? My impression is that even many >> (non-enterprise) business customers can't use port 25 >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > -- > Met vriendelijke groet / Best regards, > Michael De Roover > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On Sat, 2 May 2020, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. Mine does. It's a major Canadian independent ISP. They allow servers too. I run postfix and secondary DNS (bind) and apache servers on my static-IP residential line . I could even order a netblock again if I want to. My monthly rate is the same or lower than big telecom's offerings.. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
I'm sure that most of the list members here are aware of how net neutrality and the internet in general works - we're internet operators after all. What we're here for is ports and protocols, not policy or internet culture. On that subject, we are not policy makers. Let's leave that to politicians who studied for it. Vote some technical people in government while we're at it, but I digress. The DoT/DoH argument or what a mail server could be operated from is not one of policy.. well maybe mail servers are, to some extent. Perhaps there's some ISP employees here too. Those are in power to allow or disallow things on their network. But DoT/DoH certainly isn't. What are we supposed to worry about? How do we implement this new encrypted DNS. Do we piggyback off an existing port and rely on its ubiquitous allowance on the internet or do we create a new port for it, where we can make a dedicated new protocol suite? On 5/2/20 5:03 PM, Reindl Harald wrote: Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users: I wasn't complaining about port 25, I was just citing it as a counterexample to the claim that ISPs "must" pass all traffic. https://en.wikipedia.org/wiki/Net_neutrality I think that most ISPs tell customers how to set up their email clients (NUAs) including what port to use. Of course it seems that now most people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity) so they never see port numbers. On Sat, 2 May 2020 15:51:58 +0200 Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" Even if your ISP allows it, chances are that other mail servers will reject it that's a completl different story On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users: > I wasn't complaining about port 25, I was just citing it as a > counterexample to the claim that ISPs "must" pass all traffic. https://en.wikipedia.org/wiki/Net_neutrality > I think that most ISPs tell customers how to set up their email clients > (NUAs) including what port to use. Of course it seems that now most > people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity) > so they never see port numbers. > > > On Sat, 2 May 2020 15:51:58 +0200 > Reindl Harald wrote: > >> Am 02.05.20 um 15:41 schrieb Michael De Roover: >>> In my experience and from what I've heard, very few. >> >> if that would be true how comes that most mail clients still default to >> 25 for submission and years after closing port 25 on our mailserver i >> still struggle with customers smartphones still not using 587? >> >> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because >> there is no point in using it from a homemachine and at that time we >> struggeled also to explain our customers that 25 is plain wrong >> >> finally they gave up because the damage of open port 25 is killed with >> dnsbl but the customer support went crazy with "why can't i send email >> with my internet connection" >> >>> Even if your ISP allows it, chances are that other mail servers will reject >>> it >> >> that's a completl different story >> >>> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
I wasn't complaining about port 25, I was just citing it as a counterexample to the claim that ISPs "must" pass all traffic. I think that most ISPs tell customers how to set up their email clients (NUAs) including what port to use. Of course it seems that now most people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity) so they never see port numbers. On Sat, 2 May 2020 15:51:58 +0200 Reindl Harald wrote: > Am 02.05.20 um 15:41 schrieb Michael De Roover: > > In my experience and from what I've heard, very few. > > if that would be true how comes that most mail clients still default to > 25 for submission and years after closing port 25 on our mailserver i > still struggle with customers smartphones still not using 587? > > in fact 10 years ago some ISP's *tried* to kill outbound port 25 because > there is no point in using it from a homemachine and at that time we > struggeled also to explain our customers that 25 is plain wrong > > finally they gave up because the damage of open port 25 is killed with > dnsbl but the customer support went crazy with "why can't i send email > with my internet connection" > > > Even if your ISP allows it, chances are that other mail servers will reject > > it > > that's a completl different story > > > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: > >> How many ISPs allow traffic on port 25? My impression is that even many > >> (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
To put it very simply, I consider myself very lucky that I have control over every mail client that interfaces with my mail server. Most of them are well-behaved and use 587 for submission. My mail server has also disabled it on port 25 to reduce spam. Port 587 on my mail server is also only visible within my VPN's to allow submission only within. That is an edge case and a privilege since all the mail clients are local. If your mail clients go outside your network or VPN's, that's when you'll need to either expose 587 to the internet or allow it on 25, with all those related issues. Submission on port 25 is something I disabled on my mail server since it reduces the amount of spamhausen that try to submit email to my mail server, assuming that it's an open relay. It's purely traffic- and load-related. The reason why residential ISP's disallow it - to my knowledge which is admittedly limited - is because few postmasters consider the limitations that are applied to residential connections in general endurable. That includes dynamic IP's, down-/upload ratio, blocked ports, lack of SLA, and many other things. As far as the "completl different story" goes, it's part of a whole. Good luck getting deliverability to other mail servers from a residential range even if the ISP itself allows it. Mail servers are an inherently reputation-driven thing. Reputation of your sender IP addresses to be precise. Is it good? No, email sucks. If you can get away with not running a mail server, don't run one. They suck so much. But if you do, a home IP is not where you'll want to start regardless. Get a VPS if anything. On 5/2/20 3:51 PM, Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" Even if your ISP allows it, chances are that other mail servers will reject it that's a completl different story On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 02.05.20 um 15:41 schrieb Michael De Roover: > In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" > Even if your ISP allows it, chances are that other mail servers will reject it that's a completl different story > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: >> How many ISPs allow traffic on port 25? My impression is that even many >> (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
In my experience and from what I've heard, very few. Even if your ISP allows it, chances are that other mail servers will reject it, since residential areas aren't really suited for and aren't generally used for long-term mail servers. I would recommend against running your mail server (directly) on your home connection. Here I rent 3 VPS's as pretty much edge servers and connect my mail, web, Gitea and other servers from there (possibly my DoT service as well since almost everything is already reverse proxied with nginx from there). VPN connections are made from all of those local servers to there but it's far from ideal (70 servers x 3 VPN connections each and you've got 210 total.. and that's where I more or less screwed up). Nowadays I'd rather consider either making my VPS's connect to my home, or make a single server be the gateway at home that makes VPN connections to those VPS's instead. Probably the latter since home connections have dynamic IP's too.. that complicates things a bit. On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 02.05.20 um 15:30 schrieb Paul Kosinski via bind-users: > How many ISPs allow traffic on port 25? My impression is that even many > (non-enterprise) business customers can't use port 25. that can be easily answered by just look at your inbound MX and the amount of dul.dnsbl.sorbs.net and pbl.spamhaus.org hits until the large botnet was killed a few months ago this was majority of *all* mail traffic which wouldn't have been possible all the years by your conclusion - current month blocked at postscreen level: [root@mail-gw:~]$ cat maillog | grep spamhaus.org | grep -P "127.0.0.(10|11)" | wc -l 1148 until this year it was 10 times more - delivered: 1371 blocked by contentfilter: 134 honeypot hits: 5206 > On Sat, 2 May 2020 09:28:54 +0200 > Reindl Harald wrote: > >> Am 02.05.20 um 09:00 schrieb Michael De Roover: >>> That's actually my biggest concern with DoH, ISP blocking. It doesn't >>> seem as obvious as it is with DoT, but deep packet inspection (DPI) is >>> already a thing. Don't expect an ISP that wants to block DoT to not >>> (want to) block DoH either. The crux of the problem at that point is not >>> the technology, it is the ISP's incentives. If the ISP wants to block >>> DoT for whatever reason, personally I'd consider it.. not exactly fine >>> but at least their right to do so. That's their decision to make. >> >> seriously? >> >> that seems to be some US attitude, no wonder what happens there with >> user attitudes like "but at least their right to do so" >> >> the ISP by definition has exactly one right: get money for his service >> which is described as "route and transfer every package, don't look at >> it, don't mangle it, you have no business about the content of my traffic" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. On Sat, 2 May 2020 09:28:54 +0200 Reindl Harald wrote: > Am 02.05.20 um 09:00 schrieb Michael De Roover: > > That's actually my biggest concern with DoH, ISP blocking. It doesn't > > seem as obvious as it is with DoT, but deep packet inspection (DPI) is > > already a thing. Don't expect an ISP that wants to block DoT to not > > (want to) block DoH either. The crux of the problem at that point is not > > the technology, it is the ISP's incentives. If the ISP wants to block > > DoT for whatever reason, personally I'd consider it.. not exactly fine > > but at least their right to do so. That's their decision to make. > > seriously? > > that seems to be some US attitude, no wonder what happens there with > user attitudes like "but at least their right to do so" > > the ISP by definition has exactly one right: get money for his service > which is described as "route and transfer every package, don't look at > it, don't mangle it, you have no business about the content of my traffic" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
I don't live in the US myself, but from what I've heard it's actually among the least censored countries out there at the DNS level. Again, I don't consider it right to block content, at least if said content doesn't break local laws. If anything I'd like to actually retain my ability to bypass DNS blocks by simply changing my DNS server to a more favorable one. With DoH that would likely become much harder. Not to mention that HTTPS isn't the holy grail for bypassing that either. The Facebooks and Googles out there use HSTS to mitigate TLS stripping but that requires a list to be hardcoded in every web browser that supports it. It doesn't scale up at all. At that point we might as well go back to hosts files. On 5/2/20 9:28 AM, Reindl Harald wrote: Am 02.05.20 um 09:00 schrieb Michael De Roover: That's actually my biggest concern with DoH, ISP blocking. It doesn't seem as obvious as it is with DoT, but deep packet inspection (DPI) is already a thing. Don't expect an ISP that wants to block DoT to not (want to) block DoH either. The crux of the problem at that point is not the technology, it is the ISP's incentives. If the ISP wants to block DoT for whatever reason, personally I'd consider it.. not exactly fine but at least their right to do so. That's their decision to make. seriously? that seems to be some US attitude, no wonder what happens there with user attitudes like "but at least their right to do so" the ISP by definition has exactly one right: get money for his service which is described as "route and transfer every package, don't look at it, don't mangle it, you have no business about the content of my traffic" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Am 02.05.20 um 09:00 schrieb Michael De Roover: > That's actually my biggest concern with DoH, ISP blocking. It doesn't > seem as obvious as it is with DoT, but deep packet inspection (DPI) is > already a thing. Don't expect an ISP that wants to block DoT to not > (want to) block DoH either. The crux of the problem at that point is not > the technology, it is the ISP's incentives. If the ISP wants to block > DoT for whatever reason, personally I'd consider it.. not exactly fine > but at least their right to do so. That's their decision to make. seriously? that seems to be some US attitude, no wonder what happens there with user attitudes like "but at least their right to do so" the ISP by definition has exactly one right: get money for his service which is described as "route and transfer every package, don't look at it, don't mangle it, you have no business about the content of my traffic" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
That's actually my biggest concern with DoH, ISP blocking. It doesn't seem as obvious as it is with DoT, but deep packet inspection (DPI) is already a thing. Don't expect an ISP that wants to block DoT to not (want to) block DoH either. The crux of the problem at that point is not the technology, it is the ISP's incentives. If the ISP wants to block DoT for whatever reason, personally I'd consider it.. not exactly fine but at least their right to do so. That's their decision to make. The problem is that if they want to block DoH too, they'd more or less have to break HTTPS altogether. And at that point, I'd expect them already more than willing to do so. As far as content blocking goes, currently DNS is used for that too. In my country that is mainly Torrent sites, which are illegal. In workplaces it'd be for websites employees aren't allowed to visit at work. Most users use their ISP's / workplace's DNS servers and thus a simple DNS block ended up being fine. If that wasn't the case, more invasive methods would've been necessary. DNS blocking is easy to bypass but not many people do it. Personally I'd much rather keep technology away from policy. Encrypting DNS is important and both methods are fine for their own reasons, but policy is something that ISP's and workplaces will enforce regardless. Making this harder with technology could very well have adverse effects in the long run. On 5/1/20 11:51 PM, @lbutlr wrote: On 29 Apr 2020, at 14:19, Tony Finch wrote: DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: DOH is better because it cannot be blocked without blocking all https traffic. (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users). All that its need to subvert DoT is to block port 853. If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH. Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On 29 Apr 2020, at 14:19, Tony Finch wrote: > DoT is easier since you only need a raw TLS reverse proxy, and there are > lots of those, for example, nginx: DOH is better because it cannot be blocked without blocking all https traffic. (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users). All that its need to subvert DoT is to block port 853. If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH. Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously. -- 'You're your own worst enemy, Rincewind,' said the sword. Rincewind looked up at the grinning men. 'Bet?' --Colour of Magic ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Thanks a lot for the detailed reply. That should be pretty straightforward to set up then, as I'm already using nginx for some other things and Debian appears to be using BIND 9.11.5 now. Until BIND gets native DoT/DoH support I'll probably run it behind nginx as well then. On 4/29/20 10:19 PM, Tony Finch wrote: Michael De Roover wrote: On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on your normal DNS resolvers then Android devices will use it automatically. (I get a lot more DoT traffic than DoH traffic!) So it's worth tuning timeouts to control the number of concurrent TLS and TCP sessions on your server. Android's DoT client is very well-behaved so the server-side configuration knobs work nicely. Use BIND 9.11 or newer so you can support concurrent queries on one connection. As well as the nginx timeouts you can see at the link above, my named.conf has: tcp-clients 1234; tcp-idle-timeout 50; # 5 seconds tcp-initial-timeout 25; # 2.5s minimum permitted tcp-keepalive-timeout 50; # 5 seconds tcp-advertised-timeout 50; # 5 seconds The timeouts are short because they don't need to allow for much slowness on our metropolitan-area fibre network. 5 seconds is based on my rough eyeball assessment of when typical DoT connections are unlikely to be re-used. The number of TCP clients is a guess. Tony. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On Wed, Apr 29, 2020 at 08:06:20PM +0200, Michael De Roover wrote: > On that subject, how about DoT? I have mixed feelings about using 443 as a > kitchen sink port but encrypting DNS seems like a good idea. Native support by the end of the year, same as DoH. Also, there's a sample configuration for an nginx proxy in the BIND source tree under contrib/dnspriv that you can use now, if you wish. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Michael De Roover wrote: > On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on your normal DNS resolvers then Android devices will use it automatically. (I get a lot more DoT traffic than DoH traffic!) So it's worth tuning timeouts to control the number of concurrent TLS and TCP sessions on your server. Android's DoT client is very well-behaved so the server-side configuration knobs work nicely. Use BIND 9.11 or newer so you can support concurrent queries on one connection. As well as the nginx timeouts you can see at the link above, my named.conf has: tcp-clients 1234; tcp-idle-timeout 50; # 5 seconds tcp-initial-timeout 25; # 2.5s minimum permitted tcp-keepalive-timeout 50; # 5 seconds tcp-advertised-timeout 50; # 5 seconds The timeouts are short because they don't need to allow for much slowness on our metropolitan-area fibre network. 5 seconds is based on my rough eyeball assessment of when typical DoT connections are unlikely to be re-used. The number of TCP clients is a guess. Tony. -- f.anthony.n.finchhttp://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
> On Apr 29, 2020, at 11:06 AM, Michael De Roover wrote: > > On that subject, how about DoT? I have mixed feelings about using 443 as a > kitchen sink port but encrypting DNS seems like a good idea. We are planning to have DoT on the same timeline as DOH, so nobody has to choose one or the other based on availability. > > On 4/29/20 9:40 AM, Evan Hunt wrote: >>> Does BIND have a DoH plugin official? >>> Or is there any guide to customize that one? >> Not yet, but we plan to have a DoH implementation in named by the end of >> this year. >> >> In the meantime, there are DoH proxies that can run BIND as the back-end. >> > -- > Met vriendelijke groet / Best regards, > Michael De Roover > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Victoria Risk Product Manager Internet Systems Consortium vi...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On that subject, how about DoT? I have mixed feelings about using 443 as a kitchen sink port but encrypting DNS seems like a good idea. On 4/29/20 9:40 AM, Evan Hunt wrote: Does BIND have a DoH plugin official? Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Walter Peng wrote: > > Does BIND have a DoH plugin official? > Or is there any guide to customize that one? You'll need to run a DoH proxy in front of BIND, for example https://dnsdist.org/ - my DoH service uses https://dotat.at/cgi/git/doh101.git Tony. -- f.anthony.n.finchhttp://dotat.at/ Fitzroy: West or southwest 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, occasionally high in north. Rain or thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
> Does BIND have a DoH plugin official? > Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DoH plugin for BIND
Hi Does BIND have a DoH plugin official? Or is there any guide to customize that one? Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
