DoH plugin for BIND

Chuck Aurora ca at
Sat May 2 19:31:28 UTC 2020

On 2020-05-02 13:23, Erich Eckner wrote:
> Will there be client-side DoT/DoH support in bind, too? E.g. will my
> recursive (or forwarding) resolver be able to resolve upstream dns via

Well, a recursive resolver cannot use DoT/DoH for iterative queries to
authoritative NS servers, unless authoritative servers offered DoT/DoH,
and I don't think that's likely to happen.

Basically by deciding you want DoH/DoT upstream, you also have decided
that you want to use forwarders.

I can't speak for ISC about their DoT/DoH intentions, but I would
expect they'll do it both as server and as client (of a forwarder.)

Note that DoT/DoH typically only encrypts the enduser-to-resolver hop,
beyond which it's just standard unencrypted DNS.  Of course named as
DoT/DoH client could encrypt the hop to a forwarder, but again, just
standard DNS is used beyond that point.

> those? I don't see, how I could use a reverse proxy or stunnel to
> achieve this, currently (assuming, the authoritative dns server
> supports DoT and/or DoH, of course),

If this is so, there's still, to my knowledge, no protocol for it.
How would a nameserver know which NS hosts to send DoH/DoT queries
to?  DNS needs to be fast, and DoH/DoT upstream could create very
significant lag.

> because I would need one stunnel
> per upstream dns server which I do not know in advance - right?


I guess the DoH/DoT thing came about as a means of dealing with (or
bypassing) nosy and greedy and dishonest ISPs.  But then you're giving
all your queries to an upstream forwarder.  Are you sure they are
more trustworthy? :)

What I wonder, at the possible cost of thread hijacking (sorry!) is,
are any ISPs actively sniffing their customers iterative queries?  It
certainly is possible, but I expect it would be too much work.

I do know that an ISP of which I was formerly (!) a customer would
sometimes redirect my DNS traffic to their own recursive resolvers.
Since I was running my own nameserver all I could get during those
times were tons of "lame server" logs and DNSSEC failures.

If this is the case for you, I'd suggest doing as I did: vote with
your feet; give your money to a better ISP.

If your home/office network is secure from hostile users which can
sniff traffic, DoH/DoT offers you nothing at all on that hop.

More information about the bind-users mailing list