DoH plugin for BIND

Tue May 5 23:29:17 UTC 2020

On 6/5/20, 02:21, "bind-users on behalf of Chuck Aurora" <bind-users-bounces at lists.isc.org on behalf of ca at nodns4.us> wrote:

    On 2020-05-02 14:35, Reindl Harald wrote:
    > Am 02.05.20 um 21:31 schrieb Chuck Aurora:
    >> On 2020-05-02 13:23, Erich Eckner wrote:
    >>> Will there be client-side DoT/DoH support in bind, too? E.g. will my
    >>> recursive (or forwarding) resolver be able to resolve upstream dns 
    >>> via
    >> 
    >> Well, a recursive resolver cannot use DoT/DoH for iterative queries to
    >> authoritative NS servers, unless authoritative servers offered 
    >> DoT/DoH,
    >> and I don't think that's likely to happen.
    >> 
    >> Basically by deciding you want DoH/DoT upstream, you also have decided
    >> that you want to use forwarders.
    > 
    > says who?
    > 
    > https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians__;!!N14HnBHF!v42jWsqHVYR66-kDn-I36X0gH8si5RaYdK5EtC2sj_oJv97ch7idccKrJ34oSLUxu9D8ZKU$ 

    Thanks for the reply, but FWIW, I don't have a clue what point you
    intended to make?  I looked at that CIRA page twice, and it is simply
    a DoH/DoT forwarder.  Absolutely nothing in that release mentions any
    change in DNS protocol.

    DoH/DoT covers only one hop: the end user to the recursive resolver.
    Beyond that one hop is good old-fashioned unencrypted DNS.  By using
    DoH/DoT, whether in your own stub resolver or in a [future] BIND, you
    are using that DoH/DoT server as your forwarder.

From all the reading I've done, DoT/DoH is about each individual hop. You control your hop. Beyond you, it's anonymized anyway as a batch/bunch of requests from a recursing resolver. The CIRA service is just inserting themselves as the recursing resolver (even if they implement that via an "app").

SMTP encryption is the same. You can control your hop; what anybody beyond you does is out of your control.

Stuart