[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- Subject: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- From: jeroen at massar.ch (Jeroen Massar)
- Date: Wed, 18 Sep 2019 12:51:53 +0200
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]>
On 2019-09-18 12:24, Brian J. Murrell wrote:
> On Wed, 2019-09-18 at 09:15 +0200, Jeroen Massar wrote:
>> Hi Folks,
>> While in the US soon all Firefox users will *NOT* use your DNS
>> Recursives configured using DHCP anymore
>> (NXDOMAIN use-application-dns.net to avoid that).
> What am I misunderstanding? Isn't use-application-dns.net supposed to
> return A results until "defeated"? I have not configured my own DNS
> server to NXDOMAIN that yet, however:
That just means that somebody broke that setup as it worked last week and was pointing to Github Pages serving:
Maybe Google does not want Mozilla/CloudFlare to get all the DoH queries? :)
Nah likely just a failure somewhere, as both are supported heavily by Google (if there was no competition then Google would truly have a monopoly in the browser market and that would be bad, at least with them funding Mozilla and CF through the backdoor it looks like it isn't a monopoly as there "is that other thing")
There is a little thread about that domain here on dns-operations:
use-application-dns.net. 172800 IN NS ns-cloud-b1.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b2.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b3.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b4.googledomains.com.
$ dig @ns-cloud-b1.googledomains.com. use-application-dns.net. a
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21669
that is from my test host, but of course, from my other hosts it nicely NXDOMAINs.... but those hosts also route 220.127.116.11/18.104.22.168/22.214.171.124 and the IPv6 equivalents and many other such IPs (OpenDNS, etc and even root servers) to the local anycasted edition.... cause I don't want that in my networks.
Then again, as that makes me not a sheep, I am likely more visible anyway...