Re: Securing DNS traffic

To: Havard Eidnes <he%NetBSD.org@localhost>
Subject: Re: Securing DNS traffic
From: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Date: Sun, 24 May 2020 09:06:29 +0100

On Sat, 23 May 2020 11:38:18 +0200 (CEST)
Havard Eidnes <he%NetBSD.org@localhost> wrote:

> With your own recursor which implements query minimization, and by
> having multiple clients actively using it, you leak far less about
> your lookup history than by forwarding all your full DNS client
> queries to one of the above.  Obviously, this comes at a price --
> lookup times will be longer while the cache warms up, and caching is
> less effective the fewer clients you have using the cache.  Plus, of
> course, the outgoing queries from your recursor will be in
> cleartext.
> 
> Just saying...
> 
> - Håvard

OK, so I understand that root servers probably won't support TLS, but
some authoritative servers may support TLS (aka ADoT). But I don't seem
to find a way to tell unbound "use TLS opportunistically, wherever
possible". Isn't there some record (similar to DNSSEC RRSIG) that tells
unbound which servers actually support TLS?

So this config doesn't work, and DNS queries time out, as it is always
trying to use DNS over TLS (aka DoT), even if servers don't support it.

server:
  tls-upstream: yes

Follow-Ups:
- Re: Securing DNS traffic
  - From: Havard Eidnes

References:
- Securing DNS traffic
  - From: Sad Clouds
- Re: Securing DNS traffic
  - From: Jeffrey Walton
- Re: Securing DNS traffic
  - From: Havard Eidnes

Prev by Date: Re: [SOLVED-ish] Performance weirdness with netbsd-9 /usr/bin/grep
Next by Date: Re: Securing DNS traffic
Previous by Thread: Re: Securing DNS traffic
Next by Thread: Re: Securing DNS traffic
Indexes:

Home | Main Index | Thread Index | Old Index