[Dnsmasq-discuss] DNS-over-TLS

Matt Taggart taggart at riseup.net
Tue Sep 8 23:58:42 BST 2015 

Hi Simon,

Thanks for the comments. Here is a little more info I found.

Simon Kelley writes:
> It actually not that easy to do. DNS-over-TLS happens, by necessity,
> over TCP. Your interesting client support scenario would require that
> dnsmasq receive queries over UDP and forward then over TCP-with-TLS.
> Dnsmasq is optimised to forward DNS-over-UDP queries very efficiently.
> It does a passable job forwarding DNS-over-TCP. The architecture pretty
> much precludes receiving over UDP and then forwarding over TCP, which is
> a problem, as that's exactly what's needed for the TLS case.

Good point.

> Lonnie's
> example using DNSCrypt is probably the most sensible way to implement
> this, as least to start with.

I think DNSCrypt may be different than what the IETF WG is working on (aka 
'dprive'?)

https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.
txt

but I don't yet understand the differences.

Also there there is T-DNS

https://ant.isi.edu/tdns/index.html

(maybe an implementation of what the WG is working on?)
This blog post has some interesting links

http://www.gabriel.urdhr.fr/2015/02/14/recursive-dns-over-tls-over-tcp-443/

> Second, "is the proposed mechanism worth implementing".
> 
> Frankly, it sucks. The problem is that it specifies the same simple
> framing for DNS queries and answers over TCP that's used in RFC1035. The
> requestor sends the query, preceded by its length, then listens for the
> answer, again preceded by its length. The effect is that you need one
> TCP connection for DNS query in-flight. But now you need a TLS
> negotiation for each one too. Imagine you open a typical busy web page,
> it has 50 different DNS resolutions to do, and they all get fired off at
> once. The DNS resolver now needs 50 TLS connections to your ISPs DNS
> server, or it has to start serialising the DNS resolution. Once you have
> you 50 answers, your DNS resolver is mandated to keep the connections
> around, so that it doesn't need to open  them again when you go to the
> next page. So your ISP's DNS server, instead of doing stateless UDP, has
> to hold 50 TLS connections for every customer. Really? The hardware
> suppliers will be pleased. Much, much better to define a method to
> multiplex multiple questions and answers over _one_ TLS stream.

I think the WG has thought of some of these things, some of it is
addressed in these slides

https://www.ietf.org/proceedings/91/slides/slides-91-dprive-5.pdf

-- 
Matt Taggart
taggart at riseup.net

More information about the Dnsmasq-discuss mailing list