DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
Brian J. Murrell
brian at interlinx.bc.ca
Wed Sep 18 10:24:08 UTC 2019
On Wed, 2019-09-18 at 09:15 +0200, Jeroen Massar wrote:
> Hi Folks,
Hi.
> While in the US soon all Firefox users will *NOT* use your DNS
> Recursives configured using DHCP anymore
> (NXDOMAIN use-application-dns.net to avoid that[1]).
What am I misunderstanding? Isn't use-application-dns.net supposed to
return A results until "defeated"? I have not configured my own DNS
server to NXDOMAIN that yet, however:
$ dig use-application-dns.net a
; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> use-application-dns.net a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33589
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net. IN A
;; Query time: 1181 msec
;; SERVER: fd31:aeb1:48df::2#53(fd31:aeb1:48df::2)
;; WHEN: Wed Sep 18 06:22:19 EDT 2019
;; MSG SIZE rcvd: 52
And even Google's global DNS:
$ dig @8.8.8.8 use-application-dns.net a
; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> @8.8.8.8 use-application-
dns.net a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33725
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;use-application-dns.net. IN A
;; Query time: 1454 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Sep 18 06:22:42 EDT 2019
;; MSG SIZE rcvd: 52
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190918/84f6dcc3/attachment.sig>
More information about the NANOG
mailing list