Re: DOH or DOT Forwarder in BIND and is DOH GA?
I completely agree with you and both are different. However I resolved the issue on my Ubuntu with stubby daemon and wondering if anyone is aware similar service? -- Thanks and Regards, Manish R On Mon, Jun 14, 2021 at 1:57 AM Tony Finch wrote: > Walter H. via bind-users wrote: > > > > DOH/DOT is dead; > > > > use DNSSEC instead and no troubles; > > No. > > DNSSEC is about data integrity. It allows me to host my zones with a > collection of semi-trusted third parties without having to worry about > them changing my DNS records. It allows clients to be sure they got the > correct data when querying my zones. But DNSSEC does not provide any > confidentiality, and it doesn't protect the protocol parts of DNS packets > such as the RCODE and the EDNS options. > > DoH and DoT are the opposite. They provide better confidentiality > (network middleboxes can't see your queries) and better transport > integrity (active attackers can't mess with things like EDNS options), but > they don't authenticate the contents of DNS records. > > It is wrong to say that one is better than the other: they are orthogonal. > It's good to deploy either of them, and better to deploy both. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Viking, North Utsire: Southwesterly, veering westerly later, 4 to 6. > Moderate, occasionally rough later. Rain, showers later. Good, > occasionally poor. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DOH or DOT Forwarder in BIND and is DOH GA?
Walter H. via bind-users wrote: > > DOH/DOT is dead; > > use DNSSEC instead and no troubles; No. DNSSEC is about data integrity. It allows me to host my zones with a collection of semi-trusted third parties without having to worry about them changing my DNS records. It allows clients to be sure they got the correct data when querying my zones. But DNSSEC does not provide any confidentiality, and it doesn't protect the protocol parts of DNS packets such as the RCODE and the EDNS options. DoH and DoT are the opposite. They provide better confidentiality (network middleboxes can't see your queries) and better transport integrity (active attackers can't mess with things like EDNS options), but they don't authenticate the contents of DNS records. It is wrong to say that one is better than the other: they are orthogonal. It's good to deploy either of them, and better to deploy both. Tony. -- f.anthony.n.finchhttps://dotat.at/ Viking, North Utsire: Southwesterly, veering westerly later, 4 to 6. Moderate, occasionally rough later. Rain, showers later. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DOH or DOT Forwarder in BIND and is DOH GA?
On 12.06.2021 14:24, Richard T.A. Neal wrote: Mainsh – I haven’t done any experimenting with DOT, but there’s a guide for configuring DOH at the following page. It requires BIND 9.17.10 or higher (DOH isn’t being backported to BIND 9.16): https://www.isc.org/blogs/doh-talkdns/ Walter – I’m not sure why you’d say DOH/DOT is dead and to instead use DNSSEC. DOH/DOT and DNSSEC are two completely different things meant for two completely different DNS functions – there is no overlap. short explanation: the requirement for using DOH is to allow HTTPS requests with a Host of just an IP, which you would rather block; and for both DOT and DOH are SSL-certificates with a IP address in its SAN, which you also rather reject; and the overlap you don't see is the reason why one would use DOT or DOH; smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DOH or DOT Forwarder in BIND and is DOH GA?
Mainsh – I haven’t done any experimenting with DOT, but there’s a guide for configuring DOH at the following page. It requires BIND 9.17.10 or higher (DOH isn’t being backported to BIND 9.16): https://www.isc.org/blogs/doh-talkdns/ Walter – I’m not sure why you’d say DOH/DOT is dead and to instead use DNSSEC. DOH/DOT and DNSSEC are two completely different things meant for two completely different DNS functions – there is no overlap. Best, Richard. From: bind-users On Behalf Of Walter H. via bind-users Sent: 12 June 2021 11:23 am To: bind-users@lists.isc.org Subject: Re: DOH or DOT Forwarder in BIND and is DOH GA? On 12.06.2021 04:52, Manish Rane wrote: Hi Team, I am using BIND 9.11.3-1ubuntu1.12-Ubuntu version for my BIND and planning to use ISC PPA and use 9.16.16. So my queries are 1. Is DOH/DOT officially supported now? 2. And how do I DOH forwarding in my BIND configuration? DOH/DOT is dead; use DNSSEC instead and no troubles; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DOH or DOT Forwarder in BIND and is DOH GA?
On 12.06.2021 04:52, Manish Rane wrote: Hi Team, I am using BIND 9.11.3-1ubuntu1.12-Ubuntu version for my BIND and planning to use ISC PPA and use 9.16.16. So my queries are 1. Is DOH/DOT officially supported now? 2. And how do I DOH forwarding in my BIND configuration? DOH/DOT is dead; use DNSSEC instead and no troubles; smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DOH or DOT Forwarder in BIND and is DOH GA?
Hi Team, I am using BIND 9.11.3-1ubuntu1.12-Ubuntu version for my BIND and planning to use ISC PPA and use 9.16.16. So my queries are 1. Is DOH/DOT officially supported now? 2. And how do I DOH forwarding in my BIND configuration? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
