[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- Subject: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- From: nanog at ics-il.net (Mike Hammett)
- Date: Wed, 18 Sep 2019 09:19:28 -0500 (CDT)
- In-reply-to: <[email protected]>
- References: <[email protected]>
Why on Earth would anyone want that (Firefox deciding to do it's own DNS) as default behavior?
Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
----- Original Message -----
From: "Jeroen Massar" <jeroen at massar.ch>
To: "NANOG" <nanog at nanog.org>
Sent: Wednesday, September 18, 2019 2:15:49 AM
Subject: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
While in the US soon all Firefox users will *NOT* use your DNS Recursives configured using DHCP anymore
(NXDOMAIN use-application-dns.net to avoid that).
Next to that, it seems some of the root operators are now creating instances in the same networks that offer these kind of services for globally figuring out what queries are being made.
For those that thus either opt-out or otherwise want to use their own system resolvers, I suggest that all that run
DNS Recursive setups enable "QNAME minimization" as defined in (experimental) RFC7816 
For pdns "qname-minimization=yes" 
For unbound "qnameÂ-minimisation: yes" 
For BIND "qname-minimization" option  and 
Of course, do also provider your users with the option of using DoT or even DoH on your recursors...
Noting that DoH operators are supposed to enable RFC7816 also , guess they do not want others to see all the details they get...
Some more details in DNS Privacy Wiki ...
-------------- next part --------------
An HTML attachment was scrubbed...