[Dnsmasq-discuss] DNS-over-TLS

Discussion:

Matt Taggart

2017-10-20 00:16:02 UTC

Hi,

Back in Sept 2015 I started a thread about DNS-over-TLS

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q3/009833.html

Since then there is now RFC7858 ( https://tools.ietf.org/html/rfc7858 )
and port 853 (tcp) has been assigned for this use.

The following have support:
* unbound https://unbound.net/
* knot-resolver https://www.knot-resolver.cz/
* stubby https://dnsprivacy.org/wiki/display/DP/About+Stubby

Will dnsmasq get native support or will you recommend some sort of proxy solutio
n instead?

If you need servers to test against, there is a list at
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

Thanks,

--
Matt Taggart
***@riseup.net

Lonnie Abelbeck

2018-04-16 21:02:33 UTC

Permalink

Post by Matt Taggart
Hi,
Back in Sept 2015 I started a thread about DNS-over-TLS
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q3/009833.html
Since then there is now RFC7858 ( https://tools.ietf.org/html/rfc7858 )
and port 853 (tcp) has been assigned for this use.
* unbound https://unbound.net/
* knot-resolver https://www.knot-resolver.cz/
* stubby https://dnsprivacy.org/wiki/display/DP/About+Stubby
Will dnsmasq get native support or will you recommend some sort of proxy solutio
n instead?
If you need servers to test against, there is a list at
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
Thanks,
--
Matt Taggart

Our project (AstLinux) just added getdns/stubby as a DNS-TLS proxy in front of dnsmasq, so far it is working great !

Personally, I have selected Quad9 as my provider, they seem to do DNS-TLS quite well and support the 10 second idle connection timeout in my stubby config reducing new TLS connections.

-- snippet /etc/dnsmasq.conf --
no-resolv
proxy-dnssec
server=127.0.0.1#2853
--

-- snippet /etc/stubby/stubby.yml --
listen_addresses:
- ***@2853
--

I do not enable DNSSEC validation in either stubby or dnsmasq, Quad9 does the DNSSEC validation with "proxy-dnssec" in dnsmasq passing it down.

-- snippet /etc/stubby/stubby.yml --
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::fe
tls_port: 853
tls_auth_name: "dns.quad9.net"
--

So far this works very nicely in our development testing.

Lonnie

Lonnie Abelbeck

2018-05-05 15:41:34 UTC

Permalink

Post by Lonnie Abelbeck

Apologies for a following-up to my own post ...

DNSSEC question, is there any benefit to enable local DNSSEC resolution in stubby (DNSSEC disabled in dnsmasq) with "proxy-dnssec" and a DNSSEC provider like Quad9 or Cloudflare ?

The only difference I see are the signing algorithms https://rootcanary.org/test.html available.

Lonnie

Daniel

2018-04-18 15:44:17 UTC

Permalink

Hello,

In October, 2017 Matt Taggart ask for an updated opinion on supporting
DNS-over-TLS, but didn't receive any responses.

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q4/011804.html

Is this something Dnsmasq is interested in adding native support for, or is
a proxy-based solution going to remain the recommended configuration?

Thank you,
Daniel White

Simon Kelley

2018-04-20 21:25:32 UTC

Permalink

On 18/04/18 16:44, Daniel wrote:> Hello,

Post by Daniel
In October, 2017 Matt Taggart ask for an updated opinion on supporting
DNS-over-TLS, but didn't receive any responses.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q4/011804.html
Is this something Dnsmasq is interested in adding native support for, or
is a proxy-based solution going to remain the recommended configuration?

Native support is a non-trivial amount of effort. It requires that
dnsmasq use TCP routinely for upstream communication, which it doesn't
currently do (and can't, for reasons about the way concurrency is
managed and the emphasis on storing the minimal amount of state
possible to keep dnsmasq resource use low.)

There's quite a strong argument that the proxy-based solution as
actually the optimal way to implement this. Why reproduce the logic for
connection management, sharing and garbage collection which the proxy
has, when the proxy already does it, and the interface between that
function and what dnsmasq already does of UDP DNS queries is a good one?

Is DNS-over-TLS something that would be used, or just another solution
looking for a problem? By chance I came across this today:

https://blog.apnic.net/2018/04/10/opinion-stuffing-the-camel-into-the-bikeshed/

Arguably, dnsmasq survives by picking and implementing the DNS features
that pople actually want, rather then attempting to swallow the whole
camel. Is TLS wanted, or camel?

Cheers,

Simon.

Post by Daniel
Thank you,
Daniel White
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Continue reading on narkive:

Search results for '[Dnsmasq-discuss] DNS-over-TLS' (Questions and Answers)

replies

Does DNS spoofing defeat SSL/TLS web security?

started 2012-05-07 10:35:35 UTC

security

replies

My DNS was hijacked, how to prevent use of my information?

started 2012-04-21 21:33:01 UTC

security

replies

My Itunes Store Wont Work and I have tried everything! HELP!?