NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Securing DNS traffic



On Sat, 23 May 2020 11:38:18 +0200 (CEST)
Havard Eidnes <he%NetBSD.org@localhost> wrote:

> With your own recursor which implements query minimization, and by
> having multiple clients actively using it, you leak far less about
> your lookup history than by forwarding all your full DNS client
> queries to one of the above.  Obviously, this comes at a price --
> lookup times will be longer while the cache warms up, and caching is
> less effective the fewer clients you have using the cache.  Plus, of
> course, the outgoing queries from your recursor will be in
> cleartext.
> 
> Just saying...
> 
> - Håvard

OK, so I understand that root servers probably won't support TLS, but
some authoritative servers may support TLS (aka ADoT). But I don't seem
to find a way to tell unbound "use TLS opportunistically, wherever
possible". Isn't there some record (similar to DNSSEC RRSIG) that tells
unbound which servers actually support TLS?

So this config doesn't work, and DNS queries time out, as it is always
trying to use DNS over TLS (aka DoT), even if servers don't support it.

server:
  tls-upstream: yes


Home | Main Index | Thread Index | Old Index