[Dnsmasq-discuss] DNS-over-TLS
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Sat May 5 16:41:34 BST 2018
> On Apr 16, 2018, at 4:02 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
>
>
> On Oct 19, 2017, at 7:16 PM, Matt Taggart <taggart at riseup.net> wrote:
>
>> Hi,
>>
>> Back in Sept 2015 I started a thread about DNS-over-TLS
>>
>> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q3/009833.html
>>
>> Since then there is now RFC7858 ( https://tools.ietf.org/html/rfc7858 )
>> and port 853 (tcp) has been assigned for this use.
>>
>> The following have support:
>> * unbound https://unbound.net/
>> * knot-resolver https://www.knot-resolver.cz/
>> * stubby https://dnsprivacy.org/wiki/display/DP/About+Stubby
>>
>> Will dnsmasq get native support or will you recommend some sort of proxy solutio
>> n instead?
>>
>> If you need servers to test against, there is a list at
>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
>>
>> Thanks,
>>
>> --
>> Matt Taggart
>> taggart at riseup.net
>
> Our project (AstLinux) just added getdns/stubby as a DNS-TLS proxy in front of dnsmasq, so far it is working great !
>
> Personally, I have selected Quad9 as my provider, they seem to do DNS-TLS quite well and support the 10 second idle connection timeout in my stubby config reducing new TLS connections.
>
> -- snippet /etc/dnsmasq.conf --
> no-resolv
> proxy-dnssec
> server=127.0.0.1#2853
> --
>
> -- snippet /etc/stubby/stubby.yml --
> listen_addresses:
> - 127.0.0.1 at 2853
> --
>
> I do not enable DNSSEC validation in either stubby or dnsmasq, Quad9 does the DNSSEC validation with "proxy-dnssec" in dnsmasq passing it down.
Apologies for a following-up to my own post ...
DNSSEC question, is there any benefit to enable local DNSSEC resolution in stubby (DNSSEC disabled in dnsmasq) with "proxy-dnssec" and a DNSSEC provider like Quad9 or Cloudflare ?
The only difference I see are the signing algorithms https://rootcanary.org/test.html available.
Lonnie
More information about the Dnsmasq-discuss
mailing list