<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">For anyone considering enabling DOH, I seriously recommend reviewing Paul Vixie’s keynote at SCaLE 18x Saturday morning.<div class=""><br class=""></div><div class=""><a href="https://www.youtube.com/watch?v=artLJOwToVY" class="">https://www.youtube.com/watch?v=artLJOwToVY</a></div><div class=""><br class=""></div><div class="">It contains a great deal of food for thought on a variety of forms of giving control over to corporations over things you probably don’t really want corporations controlling in your life.</div><div class=""><br class=""></div><div class="">Owen</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Sep 27, 2019, at 10:33 , Curtis Maurand <<a href="mailto:cmaurand@xyonet.com" class="">cmaurand@xyonet.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none; float: none; display: inline !important;" class="">powerdns dnsdist supports dns over https so you don't have to be held hostage by cloudflare or google.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><div class="moz-cite-prefix" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;">On 9/18/19 10:19 AM, Mike Hammett wrote:<br class=""></div><blockquote type="cite" cite="mid:471000904.3915.1568816367898.JavaMail.mhammett@ThunderFuck" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;" class="">Why on Earth would anyone want that (Firefox deciding to do it's own DNS) as default behavior?<br class=""><br class=""><div class=""><span name="x" class=""></span><br style="" class=""><br style="" class=""><span style="" class="">-----</span><br style="" class=""><span style="" class="">Mike Hammett</span><br style="" class=""><a href="http://www.ics-il.com/" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class="">Intelligent Computing Solutions</a><br style="" class=""><a href="https://www.facebook.com/ICSIL" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/fbicon.png" moz-do-not-send="true" class=""></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/googleicon.png" moz-do-not-send="true" class=""></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/linkedinicon.png" moz-do-not-send="true" class=""></a><a href="https://twitter.com/ICSIL" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/twittericon.png" moz-do-not-send="true" class=""></a><br style="" class=""><a href="http://www.midwest-ix.com/" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class="">Midwest Internet Exchange</a><br style="" class=""><a href="https://www.facebook.com/mdwestix" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/fbicon.png" moz-do-not-send="true" class=""></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/linkedinicon.png" moz-do-not-send="true" class=""></a><a href="https://twitter.com/mdwestix" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/twittericon.png" moz-do-not-send="true" class=""></a><br style="" class=""><a href="http://www.thebrotherswisp.com/" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class="">The Brothers WISP</a><br style="" class=""><a href="https://www.facebook.com/thebrotherswisp" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/fbicon.png" moz-do-not-send="true" class=""></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank" rel="nofollow noopener noreferrer" moz-do-not-send="true" class=""><img src="http://www.ics-il.com/images/youtubeicon.png" moz-do-not-send="true" class=""></a><span name="x" class=""></span><br class=""></div><hr id="zwchr" class=""><div style="font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica, Arial, sans-serif; font-size: 12pt;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b>"Jeroen Massar"<span class="Apple-converted-space"> </span><a class="moz-txt-link-rfc2396E" href="mailto:jeroen@massar.ch"><jeroen@massar.ch></a><br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>"NANOG"<span class="Apple-converted-space"> </span><a class="moz-txt-link-rfc2396E" href="mailto:nanog@nanog.org"><nanog@nanog.org></a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Wednesday, September 18, 2019 2:15:49 AM<br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users<br class=""><br class="">Hi Folks,<br class=""><br class="">While in the US soon all Firefox users will *NOT* use your DNS Recursives configured using DHCP anymore<br class="">(NXDOMAIN<span class="Apple-converted-space"> </span><a href="http://use-application-dns.net/" class="">use-application-dns.net</a><span class="Apple-converted-space"> </span>to avoid that[1]).<br class="">Next to that, it seems some of the root operators are now creating instances in the same networks that offer these kind of services for globally figuring out what queries are being made.<br class=""><br class=""><br class="">For those that thus either opt-out or otherwise want to use their own system resolvers, I suggest that all that run<br class="">DNS Recursive setups enable "QNAME minimization" as defined in (experimental) RFC7816 [2]<br class=""><br class="">For pdns "qname-minimization=yes" [6]<br class="">For unbound "qname­-minimisation: yes" [5]<br class="">For BIND "qname-minimization" option [3] and [4]<br class=""><br class="">Of course, do also provider your users with the option of using DoT or even DoH on your recursors...<br class=""><br class="">Noting that DoH operators are supposed to enable RFC7816 also [7], guess they do not want others to see all the details they get...<br class=""><br class="">Some more details in DNS Privacy Wiki [8]...<br class=""><br class="">Discuss! :)<br class=""><br class="">Greets,<br class=""> Jeroen<br class=""><br class=""><br class="">[1]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https">https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https</a><br class="">[2]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc7816">https://tools.ietf.org/html/rfc7816</a><br class="">[3]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://www.isc.org/blogs/qname-minimization-and-privacy/">https://www.isc.org/blogs/qname-minimization-and-privacy/</a><br class="">[4]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://gitlab.isc.org/isc-projects/bind9/issues/16">https://gitlab.isc.org/isc-projects/bind9/issues/16</a><br class="">[5]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf</a><br class="">[6]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://github.com/PowerDNS/pdns/issues/2311">https://github.com/PowerDNS/pdns/issues/2311</a><br class="">[7]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://wiki.mozilla.org/Security/DOH-resolver-policy">https://wiki.mozilla.org/Security/DOH-resolver-policy</a><br class="">[8]<span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://dnsprivacy.org/wiki/">https://dnsprivacy.org/wiki/</a><br class=""></div><br class=""></div></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none;" class=""><br class="Apple-interchange-newline"></div></blockquote></div><br class=""></div></body></html>