On 2019/10/31 10:18, Otto Moerbeek wrote: > On Wed, Oct 30, 2019 at 08:51:00PM +0000, Stuart Henderson wrote: > > > - unwind doesn't have keepalives, so it's a new TCP session and TLS > > handshake for every query, which can be bad in some cases (and could get > > expensive with metered mobile data connections). for this reason it > > would be helpful to have a way to disable it (though I suppose "block > > out proto tcp to port 853" works at a pinch). > > unwind should cache thogh, can you observe that?
Yes, it does cache. (for "every query" I meant "every query sent to the forwarder") > > - several of the public DNS providers do include their IP in the certificate > > so they could be validated even when picking them up opportunistically. > > though I suppose with unwind this doesn't make a lot of difference as > > it's just going to fallback to cleartext if TLS fails. > > For any Dot mode the validity of the cert is checked, for OppDot the > trust check is only: is the cert signed by a trusted CA. We do not > know which DoT providers include a cert with an IP address, so we > cannot force a check for that. Besides that, I could not get > libunbound to accept a authentication IP like 9.9.9.9, only a name > like "quad9.net". Writing as a note to myself to check later when I have more time as much as anything, is there a hold-off on re-checking if there is a cert failure (or indeed if DoT port isn't answered), or does it re-check for every query sent upstream. Also are there excessive delays if port 853 packets are dropped rather than rejected.
