DoH plugin for BIND
Michael De Roover
isc at nixmagic.com
Thu Apr 30 12:45:42 UTC 2020
Thanks a lot for the detailed reply. That should be pretty
straightforward to set up then, as I'm already using nginx for some
other things and Debian appears to be using BIND 9.11.5 now. Until BIND
gets native DoT/DoH support I'll probably run it behind nginx as well then.
On 4/29/20 10:19 PM, Tony Finch wrote:
> Michael De Roover <isc at nixmagic.com> wrote:
>
>> On that subject, how about DoT?
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:
>
> http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
>
> Note that if you enable DoT on port 853 on your normal DNS resolvers then
> Android devices will use it automatically. (I get a lot more DoT traffic
> than DoH traffic!) So it's worth tuning timeouts to control the number of
> concurrent TLS and TCP sessions on your server. Android's DoT client is
> very well-behaved so the server-side configuration knobs work nicely. Use
> BIND 9.11 or newer so you can support concurrent queries on one
> connection. As well as the nginx timeouts you can see at the link above,
> my named.conf has:
>
> tcp-clients 1234;
> tcp-idle-timeout 50; # 5 seconds
> tcp-initial-timeout 25; # 2.5s minimum permitted
> tcp-keepalive-timeout 50; # 5 seconds
> tcp-advertised-timeout 50; # 5 seconds
>
> The timeouts are short because they don't need to allow for much slowness
> on our metropolitan-area fibre network. 5 seconds is based on my rough
> eyeball assessment of when typical DoT connections are unlikely to be
> re-used. The number of TCP clients is a guess.
>
> Tony.
--
Met vriendelijke groet / Best regards,
Michael De Roover
More information about the bind-users
mailing list