[dns-operations] Google DNS in mainland .cn
Warren Kumari
warren at kumari.net
Mon Jan 23 22:51:07 UTC 2017
On Sat, Jan 21, 2017 at 3:46 PM John Kristoff <jtk at depaul.edu> wrote:
> This might be best directed at Google, but I'd welcome unofficial
> insight as well. It doesn't strictly apply just to Google, but they
> are often the de facto resolver choice for many systems.
>
> I'm interested in the current state of access (DNS client queries)
> to Google DNS resolvers (8.8.8.8, 8.8.4.4 and IPv6 equivalent) from
> within mainland China. Particularly availability and trustworthiness.
> Keyword triggering by the GFW is not a big concern, but the just idea
> that something may be tampered with is not reassuring.
>
> I'm considering whether it would be OK to utilize a traditional
> resolv.conf that points to Google DNS for some systems or if I should
> just start getting used to implementing something like dnscrypt or DNS
> over TLS to try avoid potential problems.
>
As the DPRIVE (https://datatracker.ietf.org/wg/dprive/charter/) co-chair,
I'd suggest going the DNS over TLS route --
https://datatracker.ietf.org/doc/rfc7858/
There are a number of implementations, and some good documentation --
https://portal.sinodun.com/wiki/display/TDNS is a good place to start.
There is also a quick tutorial / background video here:
https://www.youtube.com/watch?v=2JeYIecfwdc
If you just want to get started and want to run your own server, I have a
docker container which implements RFC7858 by running NGINX as a TLS proxy
in front of BIND here: https://github.com/wkumari/dprive-nginx-bind
For the client side, stubby (part of the getdns project) --
https://portal.sinodun.com/wiki/display/TDNS/DNS+Privacy+daemon+-+Stubby
'tis a daemon which encrypts DNS queries sent from a client machine to a
DNS Privacy resolver. Basically you run it locally and then add 127.0.0.1
to resolv.conf and it ships your queries over TLS to a DNS over TLS server.
It is simple and jsut works...
W
>
> I've searched around the net a bit and have seen some of the GFW papers
> in the past, but a current and clear status of the situation I couldn't
> find. Thoughts and experience welcome. Thanks in advance.
>
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170123/96342453/attachment.html>
More information about the dns-operations
mailing list