[afnog] Encrypted DNS for ISP customers

Sicelo absicsz at gmail.com
Tue Sep 10 20:10:30 UTC 2019

On Tue, Sep 10, 2019 at 08:38:01PM +0200, Stephane Bortzmeyer wrote:
> On Sun, Sep 08, 2019 at 08:50:33AM +0400,
>  Loganaden Velvindron <loganaden at gmail.com> wrote 
>  a message of 44 lines which said:
> > In his summary, he makes a call for action to deploy encrypted DNS.
> > 
> > How many isps are planning to deploy dns over TLS for their customers ?
> Frankly, I don't see the point. You use encrypted DNS because you
> don't trust your access network. Therefore, you typically don't trust
> its recursive resolver either (for instance because it is a lying
> resolver, censoring SciHub or things like that). So, an encrypted DNS
> resolver on the same network does not seem very useful to me. 

Is it perhaps that you trust the access network, but you are concerned
that someone between you and your ISP could spoof the comms?  Even with
HTTPS, etc., we typically use SSL/TLS to protect our connection to a
service we already trust somewhat. I totally agree that if one cannot 
trust an ISP, then there is no point even if it offers encrypted DNS.
Just my two cents.

More information about the afnog mailing list