Hello, i have try to implement DoT ... but the part of authenticate the Certificate is not consistence. What to hell of Certificate i have to use whit the port 853 tls server? ???? The Problem is: TLS need a Nameserver name to work correct while you need a Ip-Number so Start DNS translation.
On the Other Hand, DNSSEC prevent DNS forgery. So why you don't suggest 2 step Boot to a Secure DNS. (1) Obtain the Domain you want to join, your IP and the IP of DNS Servers. By Hand for Paranoiac ones, by DHCP, DHCP6 or RA. (2) Feth dig -t txt _dns_over_tls_.domainname.tld. In case of Third Level or Deeper Domains use first _dns_over_tls_.xth_level. ... .2nd_level.tld then shorten step by step until you reach _dns_over_tls_.2nd_level.tld or you found some text. (3) Use the Text a List of the Names of the secure dns server, obtain there IP's of the TLS DNS from the initial DNS configuration. All of them must be DNS-SEC validated - including existence - nonexistence of the records - by the client (not server this may forged)!! (4) Write the IP -> Name pairs to the hostfile i.e. implement a off dns name translation. (5) Change the resolve configure to named DNS server with TLS Protocol ... witch also means forget to primary DNS configuration. (6) Now you can make a secure regularity strait forward connect to the TLS DNS with regular Certificate Validation. If you are connected to the right domain, you are connected to the right DNS-Server with no interception option in relation to the domain you have joined. The Client Software (Browser/Desktop Operating System) must give a feedback to what domain the system is connected to clarify that point, because this may be redirected to somewhere else by interception of the DHCP and its derivates. Browsers must offer some option to change the Domain Of Trust ... to avoid ISP based government monitoring in obscure country's ;) Hans Carlos Hofmann -- *BCC:* datenkr...@nsa.gov, datenkr...@gchq.gov.uk, .... Als kostenfreie wirksame Verschlüsselungssoftware empfehe ich OpenPGP <https://www.openpgp.org/> + Enigmail <https://enigmail.net/index.php/en/>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy