Results 1 to 1 of 1
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Cool DNS over TLS (DoT): A camel in the bikeshed?

    from the mailing list searches, mainly.

    Inverted thread from 2019:

    > Am 30. Juli 2019 02:58:19 MESZ schrieb "Normen B. Kowalewski"
    > <nbkowalew...@gmx.net>:
    >> Hi Simon,
    >>
    >> I would love to have my HG funnel all local LAN DNS quereis through a
    >> properly TLS secured path towards my trusted DNS of choice.
    >>
    >> I stumbled upon a several year old archive thread where you were
    >> considering DNS-over-TLS support:
    >> https://dnsmasq-discuss.thekelleys.o...f/dns-over-tls
    >>
    >> Are you seeing this still as something in the future of dnsmsq native
    >> implementation, without extra external proxy function like stubby?
    >>
    >> BR, Normen
    >>
    >>
    >> _______________________________________________


    > On 30. Jul 2019, at 09:03, Dominik <dl...@dl6er.de> wrote:
    >
    > Hey Normen,
    >
    > What is the precise goal you want to achieve with DNS-over-TLS?
    >
    > You have to connect to the host before the encryption begins. So, after the
    > browser has the IP address for the domain it seeks, it requests that host
    > address in clear text. If you want to give your browsing from your IDP, this
    > is the point where you inevitably lost without a VPN. Only after a connection
    > had been established, the TLS handshake process begins and the encryption is
    > operational.
    >
    > As such, DoH and DoT do nothing to increase your privacy against your ISP.
    > They can still see your IP requests if they want, and a third party DNS
    > service has your entire DNS history. You do have the benefit of authenticity,
    > in that the DNS travels in an encrypted tunnel with protection from a third
    > party modifying it. However, when you use DNSSEC, you already get the same
    > security benefits.
    >
    > From a privacy point of view, I typically recommend to run a local unbound
    > instance on the same machine that does reverse lookups and DNSSEC
    > authentication for you. By this, no single DNS provider has all your data.
    >
    > Your view might differ from mine, it's always a question of whom you trust
    > more over the others. There is no solution where you don't have to trust,
    > e.g., either you ISP or a VPN provider. I just know that I trust my local ISP
    > over some random large scale "for free" DNS provider which is why I have my
    > local unbound resolver in addition to dnsmasq.
    >
    > Best,
    > Dominik
    >

    Hi Dominik,

    If an operator you trust offers DoT with DNSSEC validated name and pinned
    certificate - would you trust this more than if all happens in the clear?
    At least it allows me to make sure that there are just two places where my DNS
    in in the clear - on the HG and on the DNS service endpoint i trust.

    BR,

    Normen


    >> Dnsmasq-discuss mailing list
    >> Dnsmasq-discuss@lists.thekelleys.org.uk
    >> http://lists.thekelleys.org.uk/mailm...nsmasq-discuss
    https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg13049.html

    2018:
    On 18/04/18 16:44, Daniel wrote:> Hello,
    >
    > In October, 2017 Matt Taggart ask for an updated opinion on supporting
    > DNS-over-TLS, but didn't receive any responses.
    >
    > http://lists.thekelleys.org.uk/piper...q4/011804.html
    >
    > Is this something Dnsmasq is interested in adding native support for, or
    > is a proxy-based solution going to remain the recommended configuration?


    Native support is a non-trivial amount of effort. It requires that
    dnsmasq use TCP routinely for upstream communication, which it doesn't
    currently do (and can't, for reasons about the way concurrency is
    managed and the emphasis on storing the minimal amount of state
    possible to keep dnsmasq resource use low.)

    There's quite a strong argument that the proxy-based solution as
    actually the optimal way to implement this. Why reproduce the logic for
    connection management, sharing and garbage collection which the proxy
    has, when the proxy already does it, and the interface between that
    function and what dnsmasq already does of UDP DNS queries is a good one?

    Is DNS-over-TLS something that would be used, or just another solution
    looking for a problem? By chance I came across this today:

    https://blog.apnic.net/2018/04/10/opinion-stuffing-the-camel-into-the-bikeshed/

    Arguably, dnsmasq survives by picking and implementing the DNS features
    that pople actually want, rather then attempting to swallow the whole
    camel. Is TLS wanted, or camel?


    Cheers,

    Simon.
    https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg12016.html
    Last edited by Jim.Alles; 09-29-2020 at 11:42 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2