[dns-operations] DNS-over-TLS in public resolvers
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Feb 28 19:35:05 UTC 2017
It seems to me that DNS-over-TLS (RFC 7858) is specially important for
public DNS resolvers since the first kilometer is long for them. I may
not care that my DNS requests travel in clear ten meters from my
office to the corporation's LAN resolver, but it is more a concern if
I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
from my current location, and I'm in California!)
It is not just a matter of encrypting the data, it's also an
authentication issue (Google Public DNS was already impersonated
<http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
non-standard DNScrypt and, for the others (Google, Verisign,
Yandex...), I find nothing. Isn't it time to push them to add this
feature?
More information about the dns-operations
mailing list