[dns-operations] charter, sitefinder, opendns (slashdot today)

JP Velders jpv at veldersjes.net
Thu Feb 15 22:48:44 UTC 2007 

> Date: Thu, 15 Feb 2007 12:14:50 -0800 (PST)
> From: Duane Wessels <wessels at packet-pushers.com>
> Subject: Re: [dns-operations] charter, sitefinder, opendns (slashdot today)

> On Thu, 15 Feb 2007, Paul Vixie said:

> > yes.  which is why i'm trying to get mark kosters to dust off his plan for
> > carrying DNS messages inside HTML.  udp/53 and tcp/53 are just transports;

> Seems like a step sideways to me.  Charter probably already has
> HTTP interceptors in place, so they could just as easily block DNS
> over HTTP.

They could, but they'd be in a whole different problem area if they 
we're going to block based in returned content (which is different 
then blocking based on destination)... That does not mean that there 
ISP's who do this already... :(

> > a dns server like BIND could also listen on tcp/80, and if a schema were
> > well defined and standardized, then folks like opendns could use it.  then
> > we'll see tcp/443 (https) in order to force isp's to keep their hands off.

> Maybe we should wish for DNS over SSL/TLS (dnss?) and skip the HTTP
> part.  But I doubt guys like OpenDNS would be eager to the SSL
> handshakes with all their clients either way.

>From the server viewpoint, authenticating clients might also be 
something to give more and more thought too... Say that I being part 
of a corporation or university am being confronted with my people 
having more and more problems whilst travelling because of these DNS 
issues. I might want to provide them with the same level of DNS 
service on the road as that they're accustomed to at the office. How 
the heck do you do that without VPN's and not running an open 
recursive nameserver ?

Something like SSL/TLS would allow both client and server to 
authenticate against eachother, but the SSL/crypte overhead and TCP vs 
UDP issues might probe troublesome at various levels...

Oh boy, I recall my boss asking if there wasn't an RFC about this... ;D
(and if "we" shouldn't write one...)

Kind regards,
JP Velders

More information about the dns-operations mailing list