[dns-operations] DNS-over-TLS in public resolvers
Willem Toorop
willem at nlnetlabs.nl
Tue Feb 28 21:55:24 UTC 2017
Hear, hear!
Verisign public DNS would be a good candidate too. They already use the
slogan: "A free DNS resolution service that respects your privacy"
-- Willem
Op 28-02-17 om 11:35 schreef Stephane Bortzmeyer:
> It seems to me that DNS-over-TLS (RFC 7858) is specially important for
> public DNS resolvers since the first kilometer is long for them. I may
> not care that my DNS requests travel in clear ten meters from my
> office to the corporation's LAN resolver, but it is more a concern if
> I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
> from my current location, and I'm in California!)
>
> It is not just a matter of encrypting the data, it's also an
> authentication issue (Google Public DNS was already impersonated
> <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
>
> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
> non-standard DNScrypt and, for the others (Google, Verisign,
> Yandex...), I find nothing. Isn't it time to push them to add this
> feature?
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list