The RIPE Atlas probes, really useful for testing Internet servers from several vantage points, can now do DNS-over-TLS.
Starting with version 1.1.4, the blaeu program (article in <https://labs.ripe.net/Members/stephane_bortzmeyer/creating-ripe-atlas-one-off-measurements-with-blaeu>, source code and issue tracker in <https://framagit.org/bortzmeyer/blaeu>) can exploit this feature: Without TLS: % blaeu-resolve --nameserver 9.9.9.9 --displayrtt www.ietf.org Nameserver 9.9.9.9 [2400:cb00:2048:1::6814:155 2400:cb00:2048:1::6814:55] : 5 occurrences Average RTT 298 ms Test #14440420 done at 2018-06-16T07:10:53Z With TLS, on the same Atlas probes (note the different RTT): % blaeu-resolve --nameserver 9.9.9.9 --displayrtt --tls --old_measurement 14440420 www.ietf.org Nameserver 9.9.9.9 [2400:cb00:2048:1::6814:155 2400:cb00:2048:1::6814:55] : 5 occurrences Average RTT 2806 ms Test #14440421 done at 2018-06-16T07:14:05Z Unfortunately, the current TLS client in the Atlas probes is a bit old and does not work with servers which require the very latest TLS options/ciphers/etc: % blaeu-resolve --nameserver 1.1.1.1 --displayrtt --tls www.ietf.org Nameserver 1.1.1.1 [TUCONNECT (may be a TLS negotiation error)] : 5 occurrences Average RTT 0 ms Test #14440463 done at 2018-06-16T07:17:06Z And of course if the server has no TLS available, it fails: % blaeu-resolve --nameserver 8.8.8.8 --displayrtt --tls www.ietf.org Nameserver 8.8.8.8 [TIMEOUT] : 5 occurrences Average RTT 0 ms Test #14440464 done at 2018-06-16T07:17:54Z _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
