Re: Securing DNS traffic

To: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Subject: Re: Securing DNS traffic
From: Brett Lymn <blymn%internode.on.net@localhost>
Date: Sat, 23 May 2020 08:09:47 +0930

On Fri, May 22, 2020 at 10:38:19PM +0100, Sad Clouds wrote:
> 
> 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via
> port 853 and could be over TCP or UDP (DTLS), although it's not clear
> to me if both TCP and UDP are always supported, of if it's mainly TCP.
> 

 Assuming dns over tls is the same as normal dns then you need both.  With normal
dns the requests go over udp, most of the time that will work but if the remote
server determines that the response cannot fit into a udp packet it will send back a
"try the query again over tcp" response at which point the dns client will use tcp.
It drives me to distraction the number of people who have the incorrect idea that
named only uses tcp for zone transfers so firewall it off and then make wild
accusations that some sites dns is busted because they are dropping the tcp dns
responses.

> 
> What I'm not sure about is this - unbound(8) has "root-hints" that
> points to root DNS servers and it will handle recursive queries, but it
> can also specify "forward-zone" where it can forward to Cloudflare or
> Google recursive DNS servers. Both of these solution would resolve DNS
> names. So which one of them takes precedence and under what conditions?
> Why have both active at the same time? Is one option better/more secure
> than the other?
> 

You need root hints if you want to do your own recursive dns resolution. You dont
have use forwarding at all. The root hints are there to tell your name server where
to start when it is resolving a query. You can choose to forward all name resolution
off to another server, you dont need root hints then but you are at the mercy of
that remote dns server as to what you get back. You can mix it up and do some
recursive resolution yourself but forward some domains to other name servers, this
is called conditional forwarding and can be useful if you cannot reach the
authorative name servers for a domain due to, say, geoblocking firewall rules or the
like.  The most likely reason for running your own name server is either you want a
local cache to speed up repeated requests or that you have some domain you need
local control over.

-- 
Brett Lymn
--
Sent from my NetBSD device.

"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"

References:
- Securing DNS traffic
  - From: Sad Clouds

Prev by Date: Re: NetBSD Jails
Next by Date: Re: Securing DNS traffic
Previous by Thread: Securing DNS traffic
Next by Thread: Re: Securing DNS traffic
Indexes:

Home | Main Index | Thread Index | Old Index