[Dnsmasq-discuss] DNS-over-TLS

Simon Kelley simon at thekelleys.org.uk
Fri Apr 20 22:25:32 BST 2018


On 18/04/18 16:44, Daniel wrote:> Hello,
> 
> In October, 2017 Matt Taggart ask for an updated opinion on supporting
> DNS-over-TLS, but didn't receive any responses.
> 
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q4/011804.html
> 
> Is this something Dnsmasq is interested in adding native support for, or
> is a proxy-based solution going to remain the recommended configuration?

Native support is a non-trivial amount of effort. It requires that
dnsmasq use TCP routinely for upstream communication, which it doesn't
currently do (and can't, for reasons about the way concurrency is
managed  and the emphasis on storing the minimal amount of state
possible to keep dnsmasq resource use low.)

There's quite a strong argument that the proxy-based solution as
actually the optimal way to implement this. Why reproduce the logic for
connection management, sharing and garbage collection which the proxy
has, when the proxy already does it, and the interface between that
function and what dnsmasq already does of UDP DNS queries is a good one?

Is DNS-over-TLS something that would be used, or just another solution
looking for a problem? By chance I came across this today:

https://blog.apnic.net/2018/04/10/opinion-stuffing-the-camel-into-the-bikeshed/

Arguably, dnsmasq survives by picking and implementing the DNS features
that pople actually want, rather then attempting to swallow the whole
camel. Is TLS wanted, or camel?


Cheers,

Simon.









> 
> Thank you,
> Daniel White
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list