<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
powerdns dnsdist supports dns over https so you don't have to be
held hostage by cloudflare or google.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/18/19 10:19 AM, Mike Hammett
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:471000904.3915.1568816367898.JavaMail.mhammett@ThunderFuck">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: arial,helvetica,sans-serif; font-size:
10pt; color: #000000">Why on Earth would anyone want that
(Firefox deciding to do it's own DNS) as default behavior?<br>
<br>
<div><span name="x"></span><br style="color:rgb( 0 , 0 , 0
);font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<br style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:!important;float:none">-----</span><br
style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:!important;float:none">Mike
Hammett</span><br style="color:rgb( 0 , 0 , 0
);font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="http://www.ics-il.com/" style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true">Intelligent Computing Solutions</a><br
style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="https://www.facebook.com/ICSIL"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/fbicon.png"
moz-do-not-send="true"></a><a
href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/googleicon.png"
moz-do-not-send="true"></a><a
href="https://www.linkedin.com/company/intelligent-computing-solutions"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/linkedinicon.png"
moz-do-not-send="true"></a><a
href="https://twitter.com/ICSIL" style="font-family:'times
new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/twittericon.png"
moz-do-not-send="true"></a><br style="color:rgb( 0 , 0 , 0
);font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="http://www.midwest-ix.com/" style="font-family:'times
new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true">Midwest Internet Exchange</a><br
style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="https://www.facebook.com/mdwestix"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/fbicon.png"
moz-do-not-send="true"></a><a
href="https://www.linkedin.com/company/midwest-internet-exchange"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/linkedinicon.png"
moz-do-not-send="true"></a><a
href="https://twitter.com/mdwestix"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/twittericon.png"
moz-do-not-send="true"></a><br style="color:rgb( 0 , 0 , 0
);font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="http://www.thebrotherswisp.com/"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true">The Brothers WISP</a><br
style="color:rgb( 0 , 0 , 0 );font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="https://www.facebook.com/thebrotherswisp"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/fbicon.png"
moz-do-not-send="true"></a><a
href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg"
style="font-family:'times new
roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" rel="nofollow noopener noreferrer"
moz-do-not-send="true"><img
src="http://www.ics-il.com/images/youtubeicon.png"
moz-do-not-send="true"></a><span name="x"></span><br>
</div>
<hr id="zwchr">
<div
style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Jeroen Massar" <a class="moz-txt-link-rfc2396E" href="mailto:jeroen@massar.ch"><jeroen@massar.ch></a><br>
<b>To: </b>"NANOG" <a class="moz-txt-link-rfc2396E" href="mailto:nanog@nanog.org"><nanog@nanog.org></a><br>
<b>Sent: </b>Wednesday, September 18, 2019 2:15:49 AM<br>
<b>Subject: </b>DNS Recursive Operators: Please enable QNAME
minimization (RFC7816) for the enhanced privacy of your users<br>
<br>
Hi Folks,<br>
<br>
While in the US soon all Firefox users will *NOT* use your DNS
Recursives configured using DHCP anymore<br>
(NXDOMAIN use-application-dns.net to avoid that[1]).<br>
Next to that, it seems some of the root operators are now
creating instances in the same networks that offer these kind
of services for globally figuring out what queries are being
made.<br>
<br>
<br>
For those that thus either opt-out or otherwise want to use
their own system resolvers, I suggest that all that run<br>
DNS Recursive setups enable "QNAME minimization" as defined in
(experimental) RFC7816 [2]<br>
<br>
For pdns "qname-minimization=yes" [6]<br>
For unbound "qname-minimisation: yes" [5]<br>
For BIND "qname-minimization" option [3] and [4]<br>
<br>
Of course, do also provider your users with the option of
using DoT or even DoH on your recursors...<br>
<br>
Noting that DoH operators are supposed to enable RFC7816 also
[7], guess they do not want others to see all the details they
get...<br>
<br>
Some more details in DNS Privacy Wiki [8]...<br>
<br>
Discuss! :)<br>
<br>
Greets,<br>
Jeroen<br>
<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https">https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https</a><br>
[2] <a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc7816">https://tools.ietf.org/html/rfc7816</a><br>
[3] <a class="moz-txt-link-freetext" href="https://www.isc.org/blogs/qname-minimization-and-privacy/">https://www.isc.org/blogs/qname-minimization-and-privacy/</a><br>
[4] <a class="moz-txt-link-freetext" href="https://gitlab.isc.org/isc-projects/bind9/issues/16">https://gitlab.isc.org/isc-projects/bind9/issues/16</a><br>
[5]
<a class="moz-txt-link-freetext" href="https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf</a><br>
[6] <a class="moz-txt-link-freetext" href="https://github.com/PowerDNS/pdns/issues/2311">https://github.com/PowerDNS/pdns/issues/2311</a><br>
[7] <a class="moz-txt-link-freetext" href="https://wiki.mozilla.org/Security/DOH-resolver-policy">https://wiki.mozilla.org/Security/DOH-resolver-policy</a><br>
[8] <a class="moz-txt-link-freetext" href="https://dnsprivacy.org/wiki/">https://dnsprivacy.org/wiki/</a><br>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>