Hi Folks,

While in the US soon all Firefox users will *NOT* use your DNS Recursives 
configured using DHCP anymore
(NXDOMAIN use-application-dns.net to avoid that[1]).
Next to that, it seems some of the root operators are now creating instances in 
the same networks that offer these kind of services for globally figuring out 
what queries are being made.


For those that thus either opt-out or otherwise want to use their own system 
resolvers, I suggest that all that run
DNS Recursive setups enable "QNAME minimization" as defined in (experimental) 
RFC7816 [2]

For pdns "qname-minimization=yes" [6]
For unbound "qnameĀ­-minimisation: yes" [5]
For BIND "qname-minimization" option [3] and [4]

Of course, do also provider your users with the option of using DoT or even DoH 
on your recursors...

Noting that DoH operators are supposed to enable RFC7816 also [7], guess they 
do not want others to see all the details they get...

Some more details in DNS Privacy Wiki [8]...

Discuss! :)

Greets,
 Jeroen


[1] 
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
[2] https://tools.ietf.org/html/rfc7816
[3] https://www.isc.org/blogs/qname-minimization-and-privacy/
[4] https://gitlab.isc.org/isc-projects/bind9/issues/16
[5] https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf
[6] https://github.com/PowerDNS/pdns/issues/2311
[7] https://wiki.mozilla.org/Security/DOH-resolver-policy
[8] https://dnsprivacy.org/wiki/

Reply via email to