[dns-operations] 答复: A dns-proxy for DNS over HTTP(s)
Paul Vixie
paul at redbarn.org
Sun May 17 21:24:48 UTC 2015
Paul Wouters wrote:
> On Sun, 17 May 2015, Davey Song (宋林健) wrote:
>
>> Thank you for your feedback.
>>
>> I will look into the feature of unbound, you mean unbound also support
>> HTTP(s)?
>
> ...
>
> It is used by dnssec-trigger in a last-ditch attempt if the dhcp
> supplied server is dnssec-broken and port 53 is not free or
> redirected to the broken server. It instructs unbound to use these
> servers over TLS on port 443 for raw TCP DNS. The only downside is
> it is not keeping a persistent TCP (or TLS) connection, so it is
> terribly slow and leads to timeouts.
then, this proxy is not compatible with that. we expect to be the
primary stub/recursive transport, and it's all built to that scale. i
want to prove that this can work, so that opendns and googledns and
others can just set themselves up on port 443, and stop worrying about
isp-in-the-middle attacks against their responses, especially their
nxdomain responses.
>
>> It's my mistake, please try http://24.104.150.213
>
> I'm confused as that is not using TLS?
because i'm too cheap to buy an x.509 cert. but if you want to try it,
it's at
https://family.redbarn.org
do note, you can't use a host name in your proxy URL (-s arg to
proxy_dns_gw) if you also use your own server in your resolv.conf.
(creates a lovely out-of-tcp-sockets self-ddos.) so if you want to use
https, don't list your own server in its resolv.conf file. (that
otherwise does work, because other than this, proxy_dns_gw makes no stub
lookups of its own.) [patches welcome!]
--
Paul Vixie
More information about the dns-operations
mailing list