[dns-operations] Google DNS in mainland .cn

Warren Kumari warren at kumari.net
Mon Jan 23 22:51:07 UTC 2017

On Sat, Jan 21, 2017 at 3:46 PM John Kristoff <jtk at depaul.edu> wrote:

> This might be best directed at Google, but I'd welcome unofficial
> insight as well.  It doesn't strictly apply just to Google, but they
> are often the de facto resolver choice for many systems.
> I'm interested in the current state of access (DNS client queries)
> to Google DNS resolvers (, and IPv6 equivalent) from
> within mainland China.  Particularly availability and trustworthiness.
> Keyword triggering by the GFW is not a big concern, but the just idea
> that something may be tampered with is not reassuring.
> I'm considering whether it would be OK to utilize a traditional
> resolv.conf that points to Google DNS for some systems or if I should
> just start getting used to implementing something like dnscrypt or DNS
> over TLS to try avoid potential problems.

As the DPRIVE  (https://datatracker.ietf.org/wg/dprive/charter/) co-chair,
I'd suggest going the DNS over TLS route --

There are a number of implementations, and some good documentation --
https://portal.sinodun.com/wiki/display/TDNS is a good place to start.
There is also a quick tutorial / background video here:

If you just want to get started and want to run your own server, I have a
docker container which implements RFC7858 by running NGINX as a TLS proxy
in front of BIND here: https://github.com/wkumari/dprive-nginx-bind

For the client side, stubby (part of the getdns project) --
'tis a daemon which encrypts DNS queries sent from a client machine to a
DNS Privacy resolver. Basically you run it locally and then add
to resolv.conf and it ships your queries over TLS to a DNS over TLS server.
It is simple and jsut works...


> I've searched around the net a bit and have seen some of the GFW papers
> in the past, but a current and clear status of the situation I couldn't
> find.  Thoughts and experience welcome.  Thanks in advance.
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170123/96342453/attachment.html>

More information about the dns-operations mailing list