[dns-operations] DNS over TLS: slowly happening
bert hubert
bert.hubert at powerdns.com
Tue Jun 26 09:09:55 UTC 2018
Hi everyone,
[tl;dr enable DNS over TLS on your resolvers and CPE/modem if you can]
As announced in https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
Android "P" will attempt to talk DNS over TLS to its resolver by default.
We've asked a few very large scale resolver operators (at service providers)
if they see this happening already and they confirm, but it is tiiiiiny.
Among tens of millions of subscribers "dozens" of IP addresses attempt
connections to port 853 of resolvers.
The reason this does not yet happen a lot is of course partly because
Android P is not widely deployed, but also because most service providers
now provision their modem/router/CPE/default GW as nameserver.
And in fact, most of the attempts we have heard of come from mobile phones
on cellular networks, and not from home wifi.
Anyhow, if you are planning DNS operations, be aware phones will start
attempting to talk 853 to your CPE. And if you are a mobile operator, expect
the same to happen on your resolvers.
We are aware of at least one moderately large service provider that will
enable DNS over TLS on their resolvers.
(Mobile) service providers that want to prevent their users from eventually
receiving the popup "your internet connection is not secure, use our private
lookup service?" may want to ponder doing the same.
Bert
More information about the dns-operations
mailing list