[afnog] DNS Over HTTPs (DOH) by RIRs?

Bill Woodcock woody at pch.net
Tue Jul 13 20:26:54 UTC 2021


>> On Tue, Jul 13, 2021 at 8:49 PM Laban Mwangi <lmwangi at gmail.com> wrote:
>> Hi All,
>>  I'm a customer of a large ISP that seems to be doing fishy things with DNS. They occasionally block port 53 UDP forcing customers to use their DNS servers.
>> 
>> I'd like to switch to something tamper proof; and based on my research, DOH seems to fit the bill. However, I'd prefer not to give my DNS data to Google / Cloudflare. The next best thing in my opinion would be the RIRs since"
>> a) They are not for profit.
>> b) Are large enough to manage a regional DOH service.
>> c) Are already handling reverse DNS.
>> 
>> What do folks think?


> On Jul 13, 2021, at 1:05 PM, Amreesh Phokeer <amreesh.phokeer at gmail.com> wrote:
> Hi Laban,
> Long time :)
> a friend will tell you that you can use the quad9 doh service...but same problem, heh!
> how about you setup your own DoH server? or you could ask your community-led IXP to do that for you, will save you a little RTT
> https://github.com/DNSCrypt/dnscrypt-proxy

Just to add a little to what Amreesh said, your concerns are very real, and exactly why we set up Quad9 in the first place.  It’s not-for-profit, and we only use open-source, so we’re happy to show you what we’ve done.  Or, if you want to use the servers we’ve been setting up, they’re back-to-back with the RIR authoritative servers, so give very good performance (and no intervening MITM attack surface) for those domains, as well as the 130 ccTLDs that PCH hosts, again back-to-back with the Quad9 servers.  And if you’d like PCH/Quad9 servers at your local IXP, and they’re not already there, just let Sara or Nishal or me know, and we’ll get that in queue.

There’s also ODoH, if you want to go one step further…  Apple’s implementation will work at least on MacOS, iOS, and Windows, though I don’t know if there’s a Linux/Unix client available.  Note, though, that ODoH uses ingress and egress nodes, like Tor, and Apple supplies the ingress nodes, and there are a fixed set of egress providers, so you’d want to make sure to specify an egress provider you trust… ODoH provides _no_ anonymity if the egress provider is also a CDN that sees any of your authenticated/unencrypted traffic.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.afnog.org/pipermail/afnog/attachments/20210713/69040730/attachment.sig>


More information about the afnog mailing list