[afnog] DNS Over HTTPs (DOH) by RIRs?

Philip Paeps philip at trouble.is
Wed Jul 14 03:16:10 UTC 2021


On 2021-07-14 00:47:31 (+0800), Laban Mwangi wrote:
> I'm a customer of a large ISP that seems to be doing fishy things with
> DNS. They occasionally block port 53 UDP forcing customers to use 
> their DNS
> servers.

That's not great.  Are they merely blocking 53/UDP or are they 
transparently redirecting you to their servers?

> I'd like to switch to something tamper proof; and based on my 
> research, DOH
> seems to fit the bill. However, I'd prefer not to give my DNS data to
> Google / Cloudflare. The next best thing in my opinion would be the 
> RIRs
> since"
> a) They are not for profit.
> b) Are large enough to manage a regional DOH service.
> c) Are already handling reverse DNS.
>
> What do folks think?
>
> Apologies if this topic has already been discussed.

My usual recommendation would be to run your own validating recursive 
resolver, e.g. unbound in your network or dnssec-trigger on end nodes.  
If your ISP is transparently redirecting your DNS traffic though, that 
won't do you much good.  Or at least it won't work very well.

You could use Quad9 DNS-over-TLS as a forwarder.  This gives you the 
advantage of "standard" DNS with the added benefit of mixing your 
queries with those of everyone else using Quad9.  Plus, you're likely to 
have a Quad9 server nearby so you won't suffer too much of a latency 
hit.

(I am not keen on the "everything over HTTP" paradigm and I don't feel 
DNS is improved with additional latency.)

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises



More information about the afnog mailing list