Bind and HTTPS?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Bind and HTTPS?

@lbutlr
Is it possible to setup bind to use DOH (FNS over HTTPS) rather than unencrypted DNS lookups? Our in addition to?



--
'An appointment is an engagement to see someone, while a morningstar is
a large lump of metal used for viciously crushing skulls. It is
important not to confuse the two.’

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Tony Finch
@lbutlr <[hidden email]> wrote:

> Is it possible to setup bind to use DOH (FNS over HTTPS) rather than
> unencrypted DNS lookups? Our in addition to?

To give DoH access to clients you need a proxy such as dnsdist or doh101.

https://dotat.at/cgi/git/doh101.git
https://dnsprivacy.org/wiki/display/DP/Using+dnsdist+for+DoT+and+DoH

Encrypted DNS between resolvers and authoritative servers is still in the
process of being standardized.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Southeast Iceland: Easterly or northeasterly, veering southeasterly, 2 to 4,
occasionally 5 near iceland. Slight or moderate. Occasional rain, fog patches.
Moderate or good, occasionally very poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Bind-Users forum mailing list
On 11/7/2019 13:39, Tony Finch wrote:
> Encrypted DNS between resolvers and authoritative servers is still in the
> process of being standardized.

It sounds like too much overhead already. Why would you want something
like that? Isn't DNSSEC enough to assure integrity?

Lefteris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Matus UHLAR - fantomas
>On 11/7/2019 13:39, Tony Finch wrote:
>>Encrypted DNS between resolvers and authoritative servers is still in the
>>process of being standardized.

On 11.07.19 15:21, Lefteris Tsintjelis via bind-users wrote:
>It sounds like too much overhead already. Why would you want something
>like that? Isn't DNSSEC enough to assure integrity?

and, how shall we resolve names of those HTTPS servers?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Tony Finch
In reply to this post by Bind-Users forum mailing list
Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>
> Why would you want something like that?

https://datatracker.ietf.org/wg/dprive/about/

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Great Orme Head to the Mull of Galloway: Southwesterly 3 to 5, veering
northwesterly 4 or 5, occasionally 6 later in north. Smooth or slight.
Occasional rain or drizzle. Moderate or good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Bind-Users forum mailing list
On 11/7/2019 15:35, Tony Finch wrote:
> Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>
>> Why would you want something like that?
>
> https://datatracker.ietf.org/wg/dprive/about/

If you are willing to sacrifice speed. DNS responses have a pretty big
impact in browsing speed but I guess anyone choosing privacy through
encryption over speed, must have a good reason to do so and I am sure
already knows that.

Lefteris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

@lbutlr
On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
> On 11/7/2019 15:35, Tony Finch wrote:
>> Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>>
>>> Why would you want something like that?
>> https://datatracker.ietf.org/wg/dprive/about/
>
> If you are willing to sacrifice speed.

Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS.



--
"...and that's not incense”

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Bind-Users forum mailing list
On 11/7/2019 22:56, @lbutlr wrote:

> On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>> On 11/7/2019 15:35, Tony Finch wrote:
>>> Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>>>
>>>> Why would you want something like that?
>>> https://datatracker.ietf.org/wg/dprive/about/
>>
>> If you are willing to sacrifice speed.
>
> Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS.

Doesn't the packet size have any impact at all just by itself, excluding
packet encryption/decryption times? For me the difference was quite
noticeable when I first enabled DNSSEC, specially when I first tested it
with SHA256/512. Packets would easily exceed fragmentation limits and
that alone is just by using DNSSEC only! I don't know what the impact of
DOH would be on the packet size, but I am pretty sure it would be even
worst combined with DNSSEC, would it not?

Lefteris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Mark Andrews


> On 12 Jul 2019, at 8:54 am, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>
> On 11/7/2019 22:56, @lbutlr wrote:
>> On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>> On 11/7/2019 15:35, Tony Finch wrote:
>>>> Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>>>>
>>>>> Why would you want something like that?
>>>> https://datatracker.ietf.org/wg/dprive/about/
>>>
>>> If you are willing to sacrifice speed.
>> Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS.
>
> Doesn't the packet size have any impact at all just by itself, excluding packet encryption/decryption times? For me the difference was quite noticeable when I first enabled DNSSEC, specially when I first tested it with SHA256/512. Packets would easily exceed fragmentation limits and that alone is just by using DNSSEC only! I don't know what the impact of DOH would be on the packet size, but I am pretty sure it would be even worst combined with DNSSEC, would it not?

Having fragmented packets doesn’t slow down DNS noticeably as long as your firewall allows them through.  Having to perform PMTUD does however and this applies to both UDP and TCP.

> Lefteris
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Bind-Users forum mailing list
On 12/7/2019 2:42, Mark Andrews wrote:

>
>
>> On 12 Jul 2019, at 8:54 am, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>
>> On 11/7/2019 22:56, @lbutlr wrote:
>>> On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>>> On 11/7/2019 15:35, Tony Finch wrote:
>>>>> Lefteris Tsintjelis via bind-users <[hidden email]> wrote:
>>>>>>
>>>>>> Why would you want something like that?
>>>>> https://datatracker.ietf.org/wg/dprive/about/
>>>>
>>>> If you are willing to sacrifice speed.
>>> Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS.
>>
>> Doesn't the packet size have any impact at all just by itself, excluding packet encryption/decryption times? For me the difference was quite noticeable when I first enabled DNSSEC, specially when I first tested it with SHA256/512. Packets would easily exceed fragmentation limits and that alone is just by using DNSSEC only! I don't know what the impact of DOH would be on the packet size, but I am pretty sure it would be even worst combined with DNSSEC, would it not?
>
> Having fragmented packets doesn’t slow down DNS noticeably as long as your firewall allows them through.  Having to perform PMTUD does however and this applies to both UDP and TCP.

I believe most modern firewalls allow them now days and the speeds are
pretty huge for such packets so I guess fragmentation by itself may not
be as noticeable, but everything all together adds up, and I mean
including DNSSEC and DOH overhead.

Yes, PMTUD applies to both of course and this is the biggest delay of
all. Perhaps it would help if the default packet size of 4000 changed to
a lower value such as 1200-1300 and use ECDSAP256SHA256 as defaults? In
any case, for me, changing those two things made quite a noticeable
response difference and it was not small.

Lefteris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind and HTTPS?

Fred Morris
On Fri, 12 Jul 2019, Lefteris Tsintjelis via bind-users wrote:
> I believe most modern firewalls allow them now days and the speeds are pretty
> huge for such packets so I guess fragmentation by itself may not be as
> noticeable, but everything all together adds up, and I mean including DNSSEC
> and DOH overhead.

Really? What about ads? What I mean is if people are so concerned about
"happy eyeballs", why are so many of those people somehow involved with
the infrastructure creating the problem?

--

Fred Morris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users