DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

• Previous message (by thread): DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
• Next message (by thread): Contact at OLM LLC or Windstream Communications
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

powerdns dnsdist supports dns over https so you don't have to be held 
hostage by cloudflare or google.



On 9/18/19 10:19 AM, Mike Hammett wrote:
> Why on Earth would anyone want that (Firefox deciding to do it's own 
> DNS) as default behavior?
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp><https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------------------------------------------------
> *From: *"Jeroen Massar" <jeroen at massar.ch>
> *To: *"NANOG" <nanog at nanog.org>
> *Sent: *Wednesday, September 18, 2019 2:15:49 AM
> *Subject: *DNS Recursive Operators: Please enable QNAME minimization 
> (RFC7816) for the enhanced privacy of your users
>
> Hi Folks,
>
> While in the US soon all Firefox users will *NOT* use your DNS 
> Recursives configured using DHCP anymore
> (NXDOMAIN use-application-dns.net to avoid that[1]).
> Next to that, it seems some of the root operators are now creating 
> instances in the same networks that offer these kind of services for 
> globally figuring out what queries are being made.
>
>
> For those that thus either opt-out or otherwise want to use their own 
> system resolvers, I suggest that all that run
> DNS Recursive setups enable "QNAME minimization" as defined in 
> (experimental) RFC7816 [2]
>
> For pdns "qname-minimization=yes" [6]
> For unbound "qname­-minimisation: yes" [5]
> For BIND "qname-minimization" option [3] and [4]
>
> Of course, do also provider your users with the option of using DoT or 
> even DoH on your recursors...
>
> Noting that DoH operators are supposed to enable RFC7816 also [7], 
> guess they do not want others to see all the details they get...
>
> Some more details in DNS Privacy Wiki [8]...
>
> Discuss! :)
>
> Greets,
>  Jeroen
>
>
> [1] 
> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> [2] https://tools.ietf.org/html/rfc7816
> [3] https://www.isc.org/blogs/qname-minimization-and-privacy/
> [4] https://gitlab.isc.org/isc-projects/bind9/issues/16
> [5] https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf
> [6] https://github.com/PowerDNS/pdns/issues/2311
> [7] https://wiki.mozilla.org/Security/DOH-resolver-policy
> [8] https://dnsprivacy.org/wiki/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190927/b945aa5a/attachment.html>

• Previous message (by thread): DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
• Next message (by thread): Contact at OLM LLC or Windstream Communications
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]