[dns-operations] charter, sitefinder, opendns (slashdot today)
jpv at veldersjes.net
Thu Feb 15 22:48:44 UTC 2007
> Date: Thu, 15 Feb 2007 12:14:50 -0800 (PST)
> From: Duane Wessels <wessels at packet-pushers.com>
> Subject: Re: [dns-operations] charter, sitefinder, opendns (slashdot today)
> On Thu, 15 Feb 2007, Paul Vixie said:
> > yes. which is why i'm trying to get mark kosters to dust off his plan for
> > carrying DNS messages inside HTML. udp/53 and tcp/53 are just transports;
> Seems like a step sideways to me. Charter probably already has
> HTTP interceptors in place, so they could just as easily block DNS
> over HTTP.
They could, but they'd be in a whole different problem area if they
we're going to block based in returned content (which is different
then blocking based on destination)... That does not mean that there
ISP's who do this already... :(
> > a dns server like BIND could also listen on tcp/80, and if a schema were
> > well defined and standardized, then folks like opendns could use it. then
> > we'll see tcp/443 (https) in order to force isp's to keep their hands off.
> Maybe we should wish for DNS over SSL/TLS (dnss?) and skip the HTTP
> part. But I doubt guys like OpenDNS would be eager to the SSL
> handshakes with all their clients either way.
>From the server viewpoint, authenticating clients might also be
something to give more and more thought too... Say that I being part
of a corporation or university am being confronted with my people
having more and more problems whilst travelling because of these DNS
issues. I might want to provide them with the same level of DNS
service on the road as that they're accustomed to at the office. How
the heck do you do that without VPN's and not running an open
recursive nameserver ?
Something like SSL/TLS would allow both client and server to
authenticate against eachother, but the SSL/crypte overhead and TCP vs
UDP issues might probe troublesome at various levels...
Oh boy, I recall my boss asking if there wasn't an RFC about this... ;D
(and if "we" shouldn't write one...)
More information about the dns-operations