[dns-operations] DNS-over-TLS in public resolvers
Paul Hoffman
phoffman at proper.com
Tue Feb 28 21:21:16 UTC 2017
On 28 Feb 2017, at 11:35, Stephane Bortzmeyer wrote:
> It seems to me that DNS-over-TLS (RFC 7858) is specially important for
> public DNS resolvers since the first kilometer is long for them. I may
> not care that my DNS requests travel in clear ten meters from my
> office to the corporation's LAN resolver, but it is more a concern if
> I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
> from my current location, and I'm in California!)
>
> It is not just a matter of encrypting the data, it's also an
> authentication issue (Google Public DNS was already impersonated
> <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
>
> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
> non-standard DNScrypt and, for the others (Google, Verisign,
> Yandex...), I find nothing. Isn't it time to push them to add this
> feature?
Another way to ask is: how can we encourage some/many of the public
resolvers to do so? Is there someone on this list from the part of
Verisign that runs 64.6.64.6 or from Comodo 8.26.56.26? It could look
very forward-looking of a public resolver to do this, for example.
--Paul Hoffman
More information about the dns-operations
mailing list