[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- Subject: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
- From: cmaurand at xyonet.com (Curtis Maurand)
- Date: Fri, 27 Sep 2019 13:33:17 -0400
- In-reply-to: <471000904.3915.1568816367898.JavaMail.mhammett@ThunderFuck>
- References: <[email protected]> <471000904.3915.1568816367898.JavaMail.mhammett@ThunderFuck>
powerdns dnsdist supports dns over https so you don't have to be held
hostage by cloudflare or google.
On 9/18/19 10:19 AM, Mike Hammett wrote:
> Why on Earth would anyone want that (Firefox deciding to do it's own
> DNS) as default behavior?
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp><https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------------------------------------------------
> *From: *"Jeroen Massar" <jeroen at massar.ch>
> *To: *"NANOG" <nanog at nanog.org>
> *Sent: *Wednesday, September 18, 2019 2:15:49 AM
> *Subject: *DNS Recursive Operators: Please enable QNAME minimization
> (RFC7816) for the enhanced privacy of your users
>
> Hi Folks,
>
> While in the US soon all Firefox users will *NOT* use your DNS
> Recursives configured using DHCP anymore
> (NXDOMAIN use-application-dns.net to avoid that[1]).
> Next to that, it seems some of the root operators are now creating
> instances in the same networks that offer these kind of services for
> globally figuring out what queries are being made.
>
>
> For those that thus either opt-out or otherwise want to use their own
> system resolvers, I suggest that all that run
> DNS Recursive setups enable "QNAME minimization" as defined in
> (experimental) RFC7816 [2]
>
> For pdns "qname-minimization=yes" [6]
> For unbound "qnameÂ-minimisation: yes" [5]
> For BIND "qname-minimization" option [3] and [4]
>
> Of course, do also provider your users with the option of using DoT or
> even DoH on your recursors...
>
> Noting that DoH operators are supposed to enable RFC7816 also [7],
> guess they do not want others to see all the details they get...
>
> Some more details in DNS Privacy Wiki [8]...
>
> Discuss! :)
>
> Greets,
> Â Jeroen
>
>
> [1]
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> [2] https://tools.ietf.org/html/rfc7816
> [3] https://www.isc.org/blogs/qname-minimization-and-privacy/
> [4] https://gitlab.isc.org/isc-projects/bind9/issues/16
> [5] https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf
> [6] https://github.com/PowerDNS/pdns/issues/2311
> [7] https://wiki.mozilla.org/Security/DOH-resolver-policy
> [8] https://dnsprivacy.org/wiki/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190927/b945aa5a/attachment.html>