DoH plugin for BIND
ca at nodns4.us
Sat May 2 19:31:28 UTC 2020
On 2020-05-02 13:23, Erich Eckner wrote:
> Will there be client-side DoT/DoH support in bind, too? E.g. will my
> recursive (or forwarding) resolver be able to resolve upstream dns via
Well, a recursive resolver cannot use DoT/DoH for iterative queries to
authoritative NS servers, unless authoritative servers offered DoT/DoH,
and I don't think that's likely to happen.
Basically by deciding you want DoH/DoT upstream, you also have decided
that you want to use forwarders.
I can't speak for ISC about their DoT/DoH intentions, but I would
expect they'll do it both as server and as client (of a forwarder.)
Note that DoT/DoH typically only encrypts the enduser-to-resolver hop,
beyond which it's just standard unencrypted DNS. Of course named as
DoT/DoH client could encrypt the hop to a forwarder, but again, just
standard DNS is used beyond that point.
> those? I don't see, how I could use a reverse proxy or stunnel to
> achieve this, currently (assuming, the authoritative dns server
> supports DoT and/or DoH, of course),
If this is so, there's still, to my knowledge, no protocol for it.
How would a nameserver know which NS hosts to send DoH/DoT queries
to? DNS needs to be fast, and DoH/DoT upstream could create very
> because I would need one stunnel
> per upstream dns server which I do not know in advance - right?
I guess the DoH/DoT thing came about as a means of dealing with (or
bypassing) nosy and greedy and dishonest ISPs. But then you're giving
all your queries to an upstream forwarder. Are you sure they are
more trustworthy? :)
What I wonder, at the possible cost of thread hijacking (sorry!) is,
are any ISPs actively sniffing their customers iterative queries? It
certainly is possible, but I expect it would be too much work.
I do know that an ISP of which I was formerly (!) a customer would
sometimes redirect my DNS traffic to their own recursive resolvers.
Since I was running my own nameserver all I could get during those
times were tons of "lame server" logs and DNSSEC failures.
If this is the case for you, I'd suggest doing as I did: vote with
your feet; give your money to a better ISP.
If your home/office network is secure from hostile users which can
sniff traffic, DoH/DoT offers you nothing at all on that hop.
More information about the bind-users