For anyone considering enabling DOH, I seriously recommend reviewing Paul Vixie’s keynote at SCaLE 18x Saturday morning.
https://www.youtube.com/watch?v=artLJOwToVY It contains a great deal of food for thought on a variety of forms of giving control over to corporations over things you probably don’t really want corporations controlling in your life. Owen > On Sep 27, 2019, at 10:33 , Curtis Maurand <cmaur...@xyonet.com> wrote: > > powerdns dnsdist supports dns over https so you don't have to be held hostage > by cloudflare or google. > > > > On 9/18/19 10:19 AM, Mike Hammett wrote: >> Why on Earth would anyone want that (Firefox deciding to do it's own DNS) as >> default behavior? >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> From: "Jeroen Massar" <jer...@massar.ch> <mailto:jer...@massar.ch> >> To: "NANOG" <nanog@nanog.org> <mailto:nanog@nanog.org> >> Sent: Wednesday, September 18, 2019 2:15:49 AM >> Subject: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) >> for the enhanced privacy of your users >> >> Hi Folks, >> >> While in the US soon all Firefox users will *NOT* use your DNS Recursives >> configured using DHCP anymore >> (NXDOMAIN use-application-dns.net <http://use-application-dns.net/> to avoid >> that[1]). >> Next to that, it seems some of the root operators are now creating instances >> in the same networks that offer these kind of services for globally figuring >> out what queries are being made. >> >> >> For those that thus either opt-out or otherwise want to use their own system >> resolvers, I suggest that all that run >> DNS Recursive setups enable "QNAME minimization" as defined in >> (experimental) RFC7816 [2] >> >> For pdns "qname-minimization=yes" [6] >> For unbound "qname-minimisation: yes" [5] >> For BIND "qname-minimization" option [3] and [4] >> >> Of course, do also provider your users with the option of using DoT or even >> DoH on your recursors... >> >> Noting that DoH operators are supposed to enable RFC7816 also [7], guess >> they do not want others to see all the details they get... >> >> Some more details in DNS Privacy Wiki [8]... >> >> Discuss! :) >> >> Greets, >> Jeroen >> >> >> [1] >> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https >> >> <https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https> >> [2] https://tools.ietf.org/html/rfc7816 <https://tools.ietf.org/html/rfc7816> >> [3] https://www.isc.org/blogs/qname-minimization-and-privacy/ >> <https://www.isc.org/blogs/qname-minimization-and-privacy/> >> [4] https://gitlab.isc.org/isc-projects/bind9/issues/16 >> <https://gitlab.isc.org/isc-projects/bind9/issues/16> >> [5] https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf >> <https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf> >> [6] https://github.com/PowerDNS/pdns/issues/2311 >> <https://github.com/PowerDNS/pdns/issues/2311> >> [7] https://wiki.mozilla.org/Security/DOH-resolver-policy >> <https://wiki.mozilla.org/Security/DOH-resolver-policy> >> [8] https://dnsprivacy.org/wiki/ <https://dnsprivacy.org/wiki/> >> > >
