[Dnsmasq-discuss] DNS-over-TLS

Matt Taggart taggart at riseup.net
Mon Sep 7 20:04:16 BST 2015


Hi,

Have you seen this draft for adding TLS to DNS?

  https://tools.ietf.org/html/draft-ietf-dprive-start-tls-for-dns-01

What would it take to implement in dnsmasq?
Both as a server and as a client.

I am thinking the client support would initially be more interesting,
as upstream DNS servers begin to implement, then at least the requests
dnsmasq forwards would be encrypted. That would solve most of the
problem for the home router situation, local queries to dnsmasq would
be unencrypted(but on the private network) but as they are forwarded
upstream(over a public network) they would be encrypted. Also it will
take some time for all the other various clients that talk to dnsmasq
to add support. (but knowing dnsmasq supports it will encourage others
to implement)

I think adding this to dnsmasq would be the single largest thing that
could be done for increasing adoption and possibly for increasing
metadata privacy on the internet.

I can help coordinate testing, test servers, documentation, etc. if
such an effort is started.

Thanks,

-- 
Matt Taggart
taggart at riseup.net



More information about the Dnsmasq-discuss mailing list