Not yet, but we plan to have a DoH implementation in named by the end of
this year.

In the meantime, there are DoH proxies that can run BIND as the back-end.

You'll need to run a DoH proxy in front of BIND, for example
https://dnsdist.org/ - my DoH service uses
https://dotat.at/cgi/git/doh101.git

Tony.

On that subject, how about DoT? I have mixed feelings about using 443 as
a kitchen sink port but encrypting DNS seems like a good idea.

We are planning to have DoT on the same timeline as DOH, so nobody has to choose one or the other based on availability.
Victoria Risk
Product Manager
Internet Systems Consortium
***@isc.org

DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:

http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48

Note that if you enable DoT on port 853 on your normal DNS resolvers then
Android devices will use it automatically. (I get a lot more DoT traffic
than DoH traffic!) So it's worth tuning timeouts to control the number of
concurrent TLS and TCP sessions on your server. Android's DoT client is
very well-behaved so the server-side configuration knobs work nicely. Use
BIND 9.11 or newer so you can support concurrent queries on one
connection. As well as the nginx timeouts you can see at the link above,
my named.conf has:

tcp-clients 1234;
tcp-idle-timeout 50; # 5 seconds
tcp-initial-timeout 25; # 2.5s minimum permitted
tcp-keepalive-timeout 50; # 5 seconds
tcp-advertised-timeout 50; # 5 seconds

The timeouts are short because they don't need to allow for much slowness
on our metropolitan-area fibre network. 5 seconds is based on my rough
eyeball assessment of when typical DoT connections are unlikely to be
re-used. The number of TCP clients is a guess.

Tony.

Native support by the end of the year, same as DoH. Also, there's a
sample configuration for an nginx proxy in the BIND source tree under
contrib/dnspriv that you can use now, if you wish.

Thanks a lot for the detailed reply. That should be pretty
straightforward to set up then, as I'm already using nginx for some
other things and Debian appears to be using BIND 9.11.5 now. Until BIND
gets native DoT/DoH support I'll probably run it behind nginx as well then.

DOH is better because it cannot be blocked without blocking all https traffic.

(FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users).

All that its need to subvert DoT is to block port 853.

If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH.

Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously.

That's actually my biggest concern with DoH, ISP blocking. It doesn't
seem as obvious as it is with DoT, but deep packet inspection (DPI) is
already a thing. Don't expect an ISP that wants to block DoT to not
(want to) block DoH either. The crux of the problem at that point is not
the technology, it is the ISP's incentives. If the ISP wants to block
DoT for whatever reason, personally I'd consider it.. not exactly fine
but at least their right to do so. That's their decision to make. The
problem is that if they want to block DoH too, they'd more or less have
to break HTTPS altogether. And at that point, I'd expect them already
more than willing to do so.

As far as content blocking goes, currently DNS is used for that too. In
my country that is mainly Torrent sites, which are illegal. In
workplaces it'd be for websites employees aren't allowed to visit at
work. Most users use their ISP's / workplace's DNS servers and thus a
simple DNS block ended up being fine. If that wasn't the case, more
invasive methods would've been necessary. DNS blocking is easy to bypass
but not many people do it. Personally I'd much rather keep technology
away from policy. Encrypting DNS is important and both methods are fine
for their own reasons, but policy is something that ISP's and workplaces
will enforce regardless. Making this harder with technology could very
well have adverse effects in the long run.

seriously?

that seems to be some US attitude, no wonder what happens there with
user attitudes like "but at least their right to do so"

the ISP by definition has exactly one right: get money for his service
which is described as "route and transfer every package, don't look at
it, don't mangle it, you have no business about the content of my traffic"

I don't live in the US myself, but from what I've heard it's actually
among the least censored countries out there at the DNS level. Again, I
don't consider it right to block content, at least if said content
doesn't break local laws. If anything I'd like to actually retain my
ability to bypass DNS blocks by simply changing my DNS server to a more
favorable one. With DoH that would likely become much harder. Not to
mention that HTTPS isn't the holy grail for bypassing that either. The
Facebooks and Googles out there use HSTS to mitigate TLS stripping but
that requires a list to be hardcoded in every web browser that supports
it. It doesn't scale up at all. At that point we might as well go back
to hosts files.

How many ISPs allow traffic on port 25? My impression is that even many
(non-enterprise) business customers can't use port 25.


On Sat, 2 May 2020 09:28:54 +0200

that can be easily answered by just look at your inbound MX and the
amount of dul.dnsbl.sorbs.net and pbl.spamhaus.org hits

until the large botnet was killed a few months ago this was majority of
*all* mail traffic which wouldn't have been possible all the years by
your conclusion

-------------------------

current month blocked at postscreen level:

[***@mail-gw:~]$ cat maillog | grep spamhaus.org | grep -P
"127.0.0.(10|11)" | wc -l
1148

until this year it was 10 times more

-------------------------

delivered: 1371
blocked by contentfilter: 134
honeypot hits: 5206

In my experience and from what I've heard, very few. Even if your ISP
allows it, chances are that other mail servers will reject it, since
residential areas aren't really suited for and aren't generally used for
long-term mail servers. I would recommend against running your mail
server (directly) on your home connection. Here I rent 3 VPS's as pretty
much edge servers and connect my mail, web, Gitea and other servers from
there (possibly my DoT service as well since almost everything is
already reverse proxied with nginx from there). VPN connections are made
from all of those local servers to there but it's far from ideal (70
servers x 3 VPN connections each and you've got 210 total.. and that's
where I more or less screwed up). Nowadays I'd rather consider either
making my VPS's connect to my home, or make a single server be the
gateway at home that makes VPN connections to those VPS's instead.
Probably the latter since home connections have dynamic IP's too.. that
complicates things a bit.

if that would be true how comes that most mail clients still default to
25 for submission and years after closing port 25 on our mailserver i
still struggle with customers smartphones still not using 587?

in fact 10 years ago some ISP's *tried* to kill outbound port 25 because
there is no point in using it from a homemachine and at that time we
struggeled also to explain our customers that 25 is plain wrong

finally they gave up because the damage of open port 25 is killed with
dnsbl but the customer support went crazy with "why can't i send email
with my internet connection"
that's a completl different story

To put it very simply, I consider myself very lucky that I have control
over every mail client that interfaces with my mail server. Most of them
are well-behaved and use 587 for submission. My mail server has also
disabled it on port 25 to reduce spam. Port 587 on my mail server is
also only visible within my VPN's to allow submission only within. That
is an edge case and a privilege since all the mail clients are local. If
your mail clients go outside your network or VPN's, that's when you'll
need to either expose 587 to the internet or allow it on 25, with all
those related issues.

Submission on port 25 is something I disabled on my mail server since it
reduces the amount of spamhausen that try to submit email to my mail
server, assuming that it's an open relay. It's purely traffic- and
load-related. The reason why residential ISP's disallow it - to my
knowledge which is admittedly limited - is because few postmasters
consider the limitations that are applied to residential connections in
general endurable. That includes dynamic IP's, down-/upload ratio,
blocked ports, lack of SLA, and many other things.

As far as the "completl different story" goes, it's part of a whole.
Good luck getting deliverability to other mail servers from a
residential range even if the ISP itself allows it. Mail servers are an
inherently reputation-driven thing. Reputation of your sender IP
addresses to be precise. Is it good? No, email sucks. If you can get
away with not running a mail server, don't run one. They suck so much.
But if you do, a home IP is not where you'll want to start regardless.
Get a VPS if anything.

I wasn't complaining about port 25, I was just citing it as a
counterexample to the claim that ISPs "must" pass all traffic.

I think that most ISPs tell customers how to set up their email clients
(NUAs) including what port to use. Of course it seems that now most
people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity)
so they never see port numbers.


On Sat, 2 May 2020 15:51:58 +0200

https://en.wikipedia.org/wiki/Net_neutrality

I'm sure that most of the list members here are aware of how net
neutrality and the internet in general works - we're internet operators
after all. What we're here for is ports and protocols, not policy or
internet culture. On that subject, we are not policy makers. Let's leave
that to politicians who studied for it. Vote some technical people in
government while we're at it, but I digress.

The DoT/DoH argument or what a mail server could be operated from is not
one of policy.. well maybe mail servers are, to some extent. Perhaps
there's some ISP employees here too. Those are in power to allow or
disallow things on their network. But DoT/DoH certainly isn't. What are
we supposed to worry about? How do we implement this new encrypted DNS.
Do we piggyback off an existing port and rely on its ubiquitous
allowance on the internet or do we create a new port for it, where we
can make a dedicated new protocol suite?

Mine does. It's a major Canadian independent ISP. They allow servers too.
I run postfix and secondary DNS (bind) and apache servers on my static-IP
residential line . I could even order a netblock again if I want to.

My monthly rate is the same or lower than big telecom's offerings..

About mail servers from residential IPs. I have done that for a number of years, very rarely any issue.

The major problem was that at one time MS required a reverse lookup for the actual mail server name. That was then fixed by the ISP and all works again.
In my part of the world it is very bad taste for an ISP to block anything, its not their business.
--
Best regards
Sten Carlsen


For every problem, there is a solution that
is simple, elegant, and wrong.
HL Mencken

Nope, not always.

My residential-class static IP mail server has never had problems
delivering mail. I've checked it many times over the years on many
blacklist checkers and never had anything but green lights.

Of course I have met all the email best practices for years: SPF, DKIM,
reverse pointer, etc.

Even though email is not secure, I still feel better knowing that emails
end up in MY server via opportunistic TLS transport. and not in some
Yahoo's or surveillance capitalist's data store.

Underlying all this are my own DNSSEC-enabled BIND servers, of course.

Interesting, I wasn't aware of that. Until now I subscribed to the whole
business-only IP idea the whole time. I never thought that ISP's or
other mail servers would allow this (though granted, mine doesn't
discriminate either). Meanwhile Microsoft still blocks one of my sender
IP's (e3.nixmagic.com which was the last one to enter the set of edge
servers). Maybe phasing out my edge servers wouldn't be a bad idea then,
at least in the long run. My ISP doesn't change the IP address for my
residential connection as long as I don't reboot my router anyway.
Assuming that I check whether my ISP allows 25 in- and outbound first,
that could work.

Hi,

I assume, the (on-topic) discussion so far was about the serving part of
bind. (Correct me, if I'm wrong)

Will there be client-side DoT/DoH support in bind, too? E.g. will my
recursive (or forwarding) resolver be able to resolve upstream dns via
those? I don't see, how I could use a reverse proxy or stunnel to achieve
this, currently (assuming, the authoritative dns server supports DoT
and/or DoH, of course), because I would need one stunnel per upstream dns
server which I do not know in advance - right?

regards,
Erich

[ Reply-To: set because we're veering even further off topic ]

You might be surprised to hear this, but it's worth your time to talk
to Microsoft about that. I have found numerous times over several
years that Microsoft's postmaster desk is staffed by real humans who
respond in a timely manner, and better yet: they seem to be truly
interested in helping their users communicate via email.

Well, a recursive resolver cannot use DoT/DoH for iterative queries to
authoritative NS servers, unless authoritative servers offered DoT/DoH,
and I don't think that's likely to happen.

Basically by deciding you want DoH/DoT upstream, you also have decided
that you want to use forwarders.

I can't speak for ISC about their DoT/DoH intentions, but I would
expect they'll do it both as server and as client (of a forwarder.)

Note that DoT/DoH typically only encrypts the enduser-to-resolver hop,
beyond which it's just standard unencrypted DNS. Of course named as
DoT/DoH client could encrypt the hop to a forwarder, but again, just
standard DNS is used beyond that point.
If this is so, there's still, to my knowledge, no protocol for it.
How would a nameserver know which NS hosts to send DoH/DoT queries
to? DNS needs to be fast, and DoH/DoT upstream could create very
significant lag.
Right.

I guess the DoH/DoT thing came about as a means of dealing with (or
bypassing) nosy and greedy and dishonest ISPs. But then you're giving
all your queries to an upstream forwarder. Are you sure they are
more trustworthy? :)

What I wonder, at the possible cost of thread hijacking (sorry!) is,
are any ISPs actively sniffing their customers iterative queries? It
certainly is possible, but I expect it would be too much work.

I do know that an ISP of which I was formerly (!) a customer would
sometimes redirect my DNS traffic to their own recursive resolvers.
Since I was running my own nameserver all I could get during those
times were tons of "lame server" logs and DNSSEC failures.

If this is the case for you, I'd suggest doing as I did: vote with
your feet; give your money to a better ISP.

If your home/office network is secure from hostile users which can
sniff traffic, DoH/DoT offers you nothing at all on that hop.

says who?

https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians

Dont waste your time trying to argue with that troll

google his name, he's well banned on many lists, he was moderated on
this list as well, seems he's changed his user@ to get around it. He's
been quiet for a while thought he learned his lesson, but leopards never
change their spots.
--
Kind Regards,

Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate any part of
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Most SP's do this
Many SP's still do this, some take it the extra mile and block anything
with things like cpe/dsl/cable/hfc/dyn/ppp... etc
in the hostname, we still do it, have done for over 20 years and seen no
collateral damage.
Ordinarily, I agree, but the overall security and protection of the
network must come first, the protection of teh majority must come first.
Then there's the law, in Australia we are required as part of the
outcome of the iinet V hollywood, to block pirate sites, 99% do this by
DNS, the Federal court accepts this method, the Federal court knows it
can be avoided by most 8yos in under 10 seconds, its the sweet spot
everybody agreed to so they approved it.

There are also other laws that require its use as well. That said we
dont block any ports and have no intention of.

That said, DoH is fairly pointless here because there is no requirement
to log DNS queries, most of us have far better things to do than to know
who's going where, none that I know do it, though there is a question of
Telstra mobile

lets face it, if we really want to know whos going where, netflow tells
us a whole lot more anyway
--
Kind Regards,

Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate any part of
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

I agree, if you really want to be anonymous the only way I know is TOR.
Maybe there should be a way to get DNS through TOR?

given that you *never* had to say anything useful on *any* mailing list
and only creep out of your hole when you hear my name to fire your
personal vendetta what about stay in your hole?

Dont flatter yourself troll, I've always been active on a number of
lists, but as I do have a life, I may not comment on every single thread
on every list.

Like I told you before stop being a f'wit and i'll have no reason to
warn anyone of how caustic you will get towards them, and we'll also
have no reason to list your netblock on RBL

no need to reply, just let it sink in, but since its failed to in over 5
years, i dont expect miracles.
--
Kind Regards,

Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate any part of
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

At the moment the specifications are not yet done for encrypted DNS
between recursive and authoritative servers. It's very difficult to signal
in a DNS delegation that an authoritative server supports encryption, in a
way that is reasonably fast and secure. And it's even harder to make
changes to EPP, or to persuade registrars to support anything new.

Tony.

Thanks for the reply, but FWIW, I don't have a clue what point you
intended to make? I looked at that CIRA page twice, and it is simply
a DoH/DoT forwarder. Absolutely nothing in that release mentions any
change in DNS protocol.

DoH/DoT covers only one hop: the end user to the recursive resolver.
Beyond that one hop is good old-fashioned unencrypted DNS. By using
DoH/DoT, whether in your own stub resolver or in a [future] BIND, you
are using that DoH/DoT server as your forwarder.

(Harald, please feel free to ignore Reply-To if you are unable to
post to the list. Thanks.)

Thanks for the reply, but FWIW, I don't have a clue what point you
intended to make? I looked at that CIRA page twice, and it is simply
a DoH/DoT forwarder. Absolutely nothing in that release mentions any
change in DNS protocol.

DoH/DoT covers only one hop: the end user to the recursive resolver.
Beyond that one hop is good old-fashioned unencrypted DNS. By using
DoH/DoT, whether in your own stub resolver or in a [future] BIND, you
are using that DoH/DoT server as your forwarder.

From all the reading I've done, DoT/DoH is about each individual hop. You control your hop. Beyond you, it's anonymized anyway as a batch/bunch of requests from a recursing resolver. The CIRA service is just inserting themselves as the recursing resolver (even if they implement that via an "app").

SMTP encryption is the same. You can control your hop; what anybody beyond you does is