Michael De Roover <i...@nixmagic.com> wrote: > On that subject, how about DoT?
DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on your normal DNS resolvers then Android devices will use it automatically. (I get a lot more DoT traffic than DoH traffic!) So it's worth tuning timeouts to control the number of concurrent TLS and TCP sessions on your server. Android's DoT client is very well-behaved so the server-side configuration knobs work nicely. Use BIND 9.11 or newer so you can support concurrent queries on one connection. As well as the nginx timeouts you can see at the link above, my named.conf has: tcp-clients 1234; tcp-idle-timeout 50; # 5 seconds tcp-initial-timeout 25; # 2.5s minimum permitted tcp-keepalive-timeout 50; # 5 seconds tcp-advertised-timeout 50; # 5 seconds The timeouts are short because they don't need to allow for much slowness on our metropolitan-area fibre network. 5 seconds is based on my rough eyeball assessment of when typical DoT connections are unlikely to be re-used. The number of TCP clients is a guess. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users