DoH plugin for BIND

classic Classic list List threaded Threaded
37 messages Options
12
Reply | Threaded
Open this post in threaded view
|

DoH plugin for BIND

Walter Peng
Hi

Does BIND have a DoH plugin official?
Or is there any guide to customize that one?

Thank you.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Evan Hunt
> Does BIND have a DoH plugin official?
> Or is there any guide to customize that one?

Not yet, but we plan to have a DoH implementation in named by the end of
this year.

In the meantime, there are DoH proxies that can run BIND as the back-end.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Tony Finch
In reply to this post by Walter Peng
Walter Peng <[hidden email]> wrote:
>
> Does BIND have a DoH plugin official?
> Or is there any guide to customize that one?

You'll need to run a DoH proxy in front of BIND, for example
https://dnsdist.org/ - my DoH service uses
https://dotat.at/cgi/git/doh101.git

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Fitzroy: West or southwest 6 to gale 8, perhaps severe gale 9 later. Rough or
very rough, occasionally high in north. Rain or thundery showers. Good,
occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
In reply to this post by Evan Hunt
On that subject, how about DoT? I have mixed feelings about using 443 as
a kitchen sink port but encrypting DNS seems like a good idea.

On 4/29/20 9:40 AM, Evan Hunt wrote:
>> Does BIND have a DoH plugin official?
>> Or is there any guide to customize that one?
> Not yet, but we plan to have a DoH implementation in named by the end of
> this year.
>
> In the meantime, there are DoH proxies that can run BIND as the back-end.
>
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Vicky Risk
Administrator


On Apr 29, 2020, at 11:06 AM, Michael De Roover <[hidden email]> wrote:

On that subject, how about DoT? I have mixed feelings about using 443 as a kitchen sink port but encrypting DNS seems like a good idea.

We are planning to have DoT on the same timeline as DOH, so nobody has to choose one or the other based on availability.


On 4/29/20 9:40 AM, Evan Hunt wrote:
Does BIND have a DoH plugin official?
Or is there any guide to customize that one?
Not yet, but we plan to have a DoH implementation in named by the end of
this year.

In the meantime, there are DoH proxies that can run BIND as the back-end.

--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

Victoria Risk
Product Manager
Internet Systems Consortium






_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Vicky Risk
Product Manager,
Internet Systems Consortium
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Tony Finch
In reply to this post by Michael De Roover
Michael De Roover <[hidden email]> wrote:

> On that subject, how about DoT?

DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:

http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48

Note that if you enable DoT on port 853 on your normal DNS resolvers then
Android devices will use it automatically. (I get a lot more DoT traffic
than DoH traffic!) So it's worth tuning timeouts to control the number of
concurrent TLS and TCP sessions on your server. Android's DoT client is
very well-behaved so the server-side configuration knobs work nicely. Use
BIND 9.11 or newer so you can support concurrent queries on one
connection. As well as the nginx timeouts you can see at the link above,
my named.conf has:

        tcp-clients 1234;
        tcp-idle-timeout 50; # 5 seconds
        tcp-initial-timeout 25; # 2.5s minimum permitted
        tcp-keepalive-timeout 50; # 5 seconds
        tcp-advertised-timeout 50; # 5 seconds

The timeouts are short because they don't need to allow for much slowness
on our metropolitan-area fibre network. 5 seconds is based on my rough
eyeball assessment of when typical DoT connections are unlikely to be
re-used. The number of TCP clients is a guess.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Evan Hunt
In reply to this post by Michael De Roover
On Wed, Apr 29, 2020 at 08:06:20PM +0200, Michael De Roover wrote:
> On that subject, how about DoT? I have mixed feelings about using 443 as a
> kitchen sink port but encrypting DNS seems like a good idea.

Native support by the end of the year, same as DoH. Also, there's a
sample configuration for an nginx proxy in the BIND source tree under
contrib/dnspriv that you can use now, if you wish.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
In reply to this post by Tony Finch
Thanks a lot for the detailed reply. That should be pretty
straightforward to set up then, as I'm already using nginx for some
other things and Debian appears to be using BIND 9.11.5 now. Until BIND
gets native DoT/DoH support I'll probably run it behind nginx as well then.

On 4/29/20 10:19 PM, Tony Finch wrote:

> Michael De Roover <[hidden email]> wrote:
>
>> On that subject, how about DoT?
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:
>
> http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
>
> Note that if you enable DoT on port 853 on your normal DNS resolvers then
> Android devices will use it automatically. (I get a lot more DoT traffic
> than DoH traffic!) So it's worth tuning timeouts to control the number of
> concurrent TLS and TCP sessions on your server. Android's DoT client is
> very well-behaved so the server-side configuration knobs work nicely. Use
> BIND 9.11 or newer so you can support concurrent queries on one
> connection. As well as the nginx timeouts you can see at the link above,
> my named.conf has:
>
> tcp-clients 1234;
> tcp-idle-timeout 50; # 5 seconds
> tcp-initial-timeout 25; # 2.5s minimum permitted
> tcp-keepalive-timeout 50; # 5 seconds
> tcp-advertised-timeout 50; # 5 seconds
>
> The timeouts are short because they don't need to allow for much slowness
> on our metropolitan-area fibre network. 5 seconds is based on my rough
> eyeball assessment of when typical DoT connections are unlikely to be
> re-used. The number of TCP clients is a guess.
>
> Tony.
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

@lbutlr
In reply to this post by Tony Finch
On 29 Apr 2020, at 14:19, Tony Finch <[hidden email]> wrote:
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:

DOH is better because it cannot be blocked without blocking all https traffic.

(FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users).

All that its need to subvert DoT is to block port 853.

If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH.

Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously.




--
'You're your own worst enemy, Rincewind,' said the sword. Rincewind
        looked up at the grinning men. 'Bet?' --Colour of Magic


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
That's actually my biggest concern with DoH, ISP blocking. It doesn't
seem as obvious as it is with DoT, but deep packet inspection (DPI) is
already a thing. Don't expect an ISP that wants to block DoT to not
(want to) block DoH either. The crux of the problem at that point is not
the technology, it is the ISP's incentives. If the ISP wants to block
DoT for whatever reason, personally I'd consider it.. not exactly fine
but at least their right to do so. That's their decision to make. The
problem is that if they want to block DoH too, they'd more or less have
to break HTTPS altogether. And at that point, I'd expect them already
more than willing to do so.

As far as content blocking goes, currently DNS is used for that too. In
my country that is mainly Torrent sites, which are illegal. In
workplaces it'd be for websites employees aren't allowed to visit at
work. Most users use their ISP's / workplace's DNS servers and thus a
simple DNS block ended up being fine. If that wasn't the case, more
invasive methods would've been necessary. DNS blocking is easy to bypass
but not many people do it. Personally I'd much rather keep technology
away from policy. Encrypting DNS is important and both methods are fine
for their own reasons, but policy is something that ISP's and workplaces
will enforce regardless. Making this harder with technology could very
well have adverse effects in the long run.

On 5/1/20 11:51 PM, @lbutlr wrote:

> On 29 Apr 2020, at 14:19, Tony Finch <[hidden email]> wrote:
>> DoT is easier since you only need a raw TLS reverse proxy, and there are
>> lots of those, for example, nginx:
> DOH is better because it cannot be blocked without blocking all https traffic.
>
> (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users).
>
> All that its need to subvert DoT is to block port 853.
>
> If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH.
>
> Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously.
>
>
>
>
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Reindl Harald

Am 02.05.20 um 09:00 schrieb Michael De Roover:
> That's actually my biggest concern with DoH, ISP blocking. It doesn't
> seem as obvious as it is with DoT, but deep packet inspection (DPI) is
> already a thing. Don't expect an ISP that wants to block DoT to not
> (want to) block DoH either. The crux of the problem at that point is not
> the technology, it is the ISP's incentives. If the ISP wants to block
> DoT for whatever reason, personally I'd consider it.. not exactly fine
> but at least their right to do so. That's their decision to make.

seriously?

that seems to be some US attitude, no wonder what happens there with
user attitudes like "but at least their right to do so"

the ISP by definition has exactly one right: get money for his service
which is described as "route and transfer every package, don't look at
it, don't mangle it, you have no business about the content of my traffic"
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
I don't live in the US myself, but from what I've heard it's actually
among the least censored countries out there at the DNS level. Again, I
don't consider it right to block content, at least if said content
doesn't break local laws. If anything I'd like to actually retain my
ability to bypass DNS blocks by simply changing my DNS server to a more
favorable one. With DoH that would likely become much harder. Not to
mention that HTTPS isn't the holy grail for bypassing that either. The
Facebooks and Googles out there use HSTS to mitigate TLS stripping but
that requires a list to be hardcoded in every web browser that supports
it. It doesn't scale up at all. At that point we might as well go back
to hosts files.

On 5/2/20 9:28 AM, Reindl Harald wrote:

> Am 02.05.20 um 09:00 schrieb Michael De Roover:
>> That's actually my biggest concern with DoH, ISP blocking. It doesn't
>> seem as obvious as it is with DoT, but deep packet inspection (DPI) is
>> already a thing. Don't expect an ISP that wants to block DoT to not
>> (want to) block DoH either. The crux of the problem at that point is not
>> the technology, it is the ISP's incentives. If the ISP wants to block
>> DoT for whatever reason, personally I'd consider it.. not exactly fine
>> but at least their right to do so. That's their decision to make.
> seriously?
>
> that seems to be some US attitude, no wonder what happens there with
> user attitudes like "but at least their right to do so"
>
> the ISP by definition has exactly one right: get money for his service
> which is described as "route and transfer every package, don't look at
> it, don't mangle it, you have no business about the content of my traffic"
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Bind-Users forum mailing list
In reply to this post by Reindl Harald
How many ISPs allow traffic on port 25? My impression is that even many
(non-enterprise) business customers can't use port 25.


On Sat, 2 May 2020 09:28:54 +0200
Reindl Harald <[hidden email]> wrote:

> Am 02.05.20 um 09:00 schrieb Michael De Roover:
> > That's actually my biggest concern with DoH, ISP blocking. It doesn't
> > seem as obvious as it is with DoT, but deep packet inspection (DPI) is
> > already a thing. Don't expect an ISP that wants to block DoT to not
> > (want to) block DoH either. The crux of the problem at that point is not
> > the technology, it is the ISP's incentives. If the ISP wants to block
> > DoT for whatever reason, personally I'd consider it.. not exactly fine
> > but at least their right to do so. That's their decision to make.  
>
> seriously?
>
> that seems to be some US attitude, no wonder what happens there with
> user attitudes like "but at least their right to do so"
>
> the ISP by definition has exactly one right: get money for his service
> which is described as "route and transfer every package, don't look at
> it, don't mangle it, you have no business about the content of my traffic"
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Reindl Harald


Am 02.05.20 um 15:30 schrieb Paul Kosinski via bind-users:
> How many ISPs allow traffic on port 25? My impression is that even many
> (non-enterprise) business customers can't use port 25.

that can be easily answered by just look at your inbound MX and the
amount of dul.dnsbl.sorbs.net and pbl.spamhaus.org hits

until the large botnet was killed a few months ago this was majority of
*all* mail traffic which wouldn't have been possible all the years by
your conclusion

-------------------------

current month blocked at postscreen level:

[root@mail-gw:~]$ cat maillog | grep spamhaus.org | grep -P
"127.0.0.(10|11)" | wc -l
1148

until this year it was 10 times more

-------------------------

delivered: 1371
blocked by contentfilter: 134
honeypot hits: 5206

> On Sat, 2 May 2020 09:28:54 +0200
> Reindl Harald <[hidden email]> wrote:
>
>> Am 02.05.20 um 09:00 schrieb Michael De Roover:
>>> That's actually my biggest concern with DoH, ISP blocking. It doesn't
>>> seem as obvious as it is with DoT, but deep packet inspection (DPI) is
>>> already a thing. Don't expect an ISP that wants to block DoT to not
>>> (want to) block DoH either. The crux of the problem at that point is not
>>> the technology, it is the ISP's incentives. If the ISP wants to block
>>> DoT for whatever reason, personally I'd consider it.. not exactly fine
>>> but at least their right to do so. That's their decision to make.  
>>
>> seriously?
>>
>> that seems to be some US attitude, no wonder what happens there with
>> user attitudes like "but at least their right to do so"
>>
>> the ISP by definition has exactly one right: get money for his service
>> which is described as "route and transfer every package, don't look at
>> it, don't mangle it, you have no business about the content of my traffic"

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
In reply to this post by Bind-Users forum mailing list
In my experience and from what I've heard, very few. Even if your ISP
allows it, chances are that other mail servers will reject it, since
residential areas aren't really suited for and aren't generally used for
long-term mail servers. I would recommend against running your mail
server (directly) on your home connection. Here I rent 3 VPS's as pretty
much edge servers and connect my mail, web, Gitea and other servers from
there (possibly my DoT service as well since almost everything is
already reverse proxied with nginx from there). VPN connections are made
from all of those local servers to there but it's far from ideal (70
servers x 3 VPN connections each and you've got 210 total.. and that's
where I more or less screwed up). Nowadays I'd rather consider either
making my VPS's connect to my home, or make a single server be the
gateway at home that makes VPN connections to those VPS's instead.
Probably the latter since home connections have dynamic IP's too.. that
complicates things a bit.

On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
> How many ISPs allow traffic on port 25? My impression is that even many
> (non-enterprise) business customers can't use port 25.
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Reindl Harald


Am 02.05.20 um 15:41 schrieb Michael De Roover:
> In my experience and from what I've heard, very few.

if that would be true how comes that most mail clients still default to
25 for submission and years after closing port 25 on our mailserver i
still struggle with customers smartphones still not using 587?

in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
there is no point in using it from a homemachine and at that time we
struggeled also to explain our customers that 25 is plain wrong

finally they gave up because the damage of open port 25 is killed with
dnsbl but the customer support went crazy with "why can't i send email
with my internet connection"

> Even if your ISP allows it, chances are that other mail servers will reject it

that's a completl different story

> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
>> How many ISPs allow traffic on port 25? My impression is that even many
>> (non-enterprise) business customers can't use port 25

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
To put it very simply, I consider myself very lucky that I have control
over every mail client that interfaces with my mail server. Most of them
are well-behaved and use 587 for submission. My mail server has also
disabled it on port 25 to reduce spam. Port 587 on my mail server is
also only visible within my VPN's to allow submission only within. That
is an edge case and a privilege since all the mail clients are local. If
your mail clients go outside your network or VPN's, that's when you'll
need to either expose 587 to the internet or allow it on 25, with all
those related issues.

Submission on port 25 is something I disabled on my mail server since it
reduces the amount of spamhausen that try to submit email to my mail
server, assuming that it's an open relay. It's purely traffic- and
load-related. The reason why residential ISP's disallow it - to my
knowledge which is admittedly limited - is because few postmasters
consider the limitations that are applied to residential connections in
general endurable. That includes dynamic IP's, down-/upload ratio,
blocked ports, lack of SLA, and many other things.

As far as the "completl different story" goes, it's part of a whole.
Good luck getting deliverability to other mail servers from a
residential range even if the ISP itself allows it. Mail servers are an
inherently reputation-driven thing. Reputation of your sender IP
addresses to be precise. Is it good? No, email sucks. If you can get
away with not running a mail server, don't run one. They suck so much.
But if you do, a home IP is not where you'll want to start regardless.
Get a VPS if anything.

On 5/2/20 3:51 PM, Reindl Harald wrote:

>
> Am 02.05.20 um 15:41 schrieb Michael De Roover:
>> In my experience and from what I've heard, very few.
> if that would be true how comes that most mail clients still default to
> 25 for submission and years after closing port 25 on our mailserver i
> still struggle with customers smartphones still not using 587?
>
> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
> there is no point in using it from a homemachine and at that time we
> struggeled also to explain our customers that 25 is plain wrong
>
> finally they gave up because the damage of open port 25 is killed with
> dnsbl but the customer support went crazy with "why can't i send email
> with my internet connection"
>
>> Even if your ISP allows it, chances are that other mail servers will reject it
> that's a completl different story
>
>> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
>>> How many ISPs allow traffic on port 25? My impression is that even many
>>> (non-enterprise) business customers can't use port 25
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Bind-Users forum mailing list
In reply to this post by Reindl Harald
I wasn't complaining about port 25, I was just citing it as a
counterexample to the claim that ISPs "must" pass all traffic.

I think that most ISPs tell customers how to set up their email clients
(NUAs) including what port to use. Of course it seems that now most
people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity)
so they never see port numbers.


On Sat, 2 May 2020 15:51:58 +0200
Reindl Harald <[hidden email]> wrote:

> Am 02.05.20 um 15:41 schrieb Michael De Roover:
> > In my experience and from what I've heard, very few.  
>
> if that would be true how comes that most mail clients still default to
> 25 for submission and years after closing port 25 on our mailserver i
> still struggle with customers smartphones still not using 587?
>
> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
> there is no point in using it from a homemachine and at that time we
> struggeled also to explain our customers that 25 is plain wrong
>
> finally they gave up because the damage of open port 25 is killed with
> dnsbl but the customer support went crazy with "why can't i send email
> with my internet connection"
>
> > Even if your ISP allows it, chances are that other mail servers will reject it  
>
> that's a completl different story
>
> > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:  
> >> How many ISPs allow traffic on port 25? My impression is that even many
> >> (non-enterprise) business customers can't use port 25  
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Reindl Harald


Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users:
> I wasn't complaining about port 25, I was just citing it as a
> counterexample to the claim that ISPs "must" pass all traffic.

https://en.wikipedia.org/wiki/Net_neutrality

> I think that most ISPs tell customers how to set up their email clients
> (NUAs) including what port to use. Of course it seems that now most
> people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity)
> so they never see port numbers.
>
>
> On Sat, 2 May 2020 15:51:58 +0200
> Reindl Harald <[hidden email]> wrote:
>
>> Am 02.05.20 um 15:41 schrieb Michael De Roover:
>>> In my experience and from what I've heard, very few.  
>>
>> if that would be true how comes that most mail clients still default to
>> 25 for submission and years after closing port 25 on our mailserver i
>> still struggle with customers smartphones still not using 587?
>>
>> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
>> there is no point in using it from a homemachine and at that time we
>> struggeled also to explain our customers that 25 is plain wrong
>>
>> finally they gave up because the damage of open port 25 is killed with
>> dnsbl but the customer support went crazy with "why can't i send email
>> with my internet connection"
>>
>>> Even if your ISP allows it, chances are that other mail servers will reject it  
>>
>> that's a completl different story
>>
>>> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:  
>>>> How many ISPs allow traffic on port 25? My impression is that even many
>>>> (non-enterprise) business customers can't use port 25  

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DoH plugin for BIND

Michael De Roover
I'm sure that most of the list members here are aware of how net
neutrality and the internet in general works - we're internet operators
after all. What we're here for is ports and protocols, not policy or
internet culture. On that subject, we are not policy makers. Let's leave
that to politicians who studied for it. Vote some technical people in
government while we're at it, but I digress.

The DoT/DoH argument or what a mail server could be operated from is not
one of policy.. well maybe mail servers are, to some extent. Perhaps
there's some ISP employees here too. Those are in power to allow or
disallow things on their network. But DoT/DoH certainly isn't. What are
we supposed to worry about? How do we implement this new encrypted DNS.
Do we piggyback off an existing port and rely on its ubiquitous
allowance on the internet or do we create a new port for it, where we
can make a dedicated new protocol suite?

On 5/2/20 5:03 PM, Reindl Harald wrote:

>
> Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users:
>> I wasn't complaining about port 25, I was just citing it as a
>> counterexample to the claim that ISPs "must" pass all traffic.
> https://en.wikipedia.org/wiki/Net_neutrality
>
>> I think that most ISPs tell customers how to set up their email clients
>> (NUAs) including what port to use. Of course it seems that now most
>> people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity)
>> so they never see port numbers.
>>
>>
>> On Sat, 2 May 2020 15:51:58 +0200
>> Reindl Harald <[hidden email]> wrote:
>>
>>> Am 02.05.20 um 15:41 schrieb Michael De Roover:
>>>> In my experience and from what I've heard, very few.
>>> if that would be true how comes that most mail clients still default to
>>> 25 for submission and years after closing port 25 on our mailserver i
>>> still struggle with customers smartphones still not using 587?
>>>
>>> in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
>>> there is no point in using it from a homemachine and at that time we
>>> struggeled also to explain our customers that 25 is plain wrong
>>>
>>> finally they gave up because the damage of open port 25 is killed with
>>> dnsbl but the customer support went crazy with "why can't i send email
>>> with my internet connection"
>>>
>>>> Even if your ISP allows it, chances are that other mail servers will reject it
>>> that's a completl different story
>>>
>>>> On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
>>>>> How many ISPs allow traffic on port 25? My impression is that even many
>>>>> (non-enterprise) business customers can't use port 25
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
12