This is wrong. DNS servers should respond with NOTIMP or FORMERR. The actual rcode is implementation dependent. This is not to say all will respond. Just don't expect silence.
DNSoD can run over standard UDP port 53 as defined in [RFC1035]. A DNS client or server that does not implement this specification will not respond to the incoming DTLS packets because they don't parse as DNS packets (the DNS Opcode would be 15, which is undefined). e.g. ; <<>> DiG 9.11.0pre-alpha <<>> +opcode=15 +noedns +header-only +qr +noad ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: RESERVED15, status: NOERROR, id: 25683 ;; flags: rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; QUERY SIZE: 12 ;; Got answer: ;; ->>HEADER<<- opcode: RESERVED15, status: NOTIMP, id: 25683 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jul 24 01:29:00 EST 2015 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
