[afnog] DNS Over HTTPs (DOH) by RIRs?

Laban Mwangi lmwangi at gmail.com
Wed Jul 14 10:23:54 UTC 2021


On Tue, 13 Jul 2021 at 23:27, Bill Woodcock <woody at pch.net> wrote:

> >> On Tue, Jul 13, 2021 at 8:49 PM Laban Mwangi <lmwangi at gmail.com> wrote:
> >> Hi All,
> >>  I'm a customer of a large ISP that seems to be doing fishy things with
> DNS. They occasionally block port 53 UDP forcing customers to use their DNS
> servers.
> >>
> >> I'd like to switch to something tamper proof; and based on my research,
> DOH seems to fit the bill. However, I'd prefer not to give my DNS data to
> Google / Cloudflare. The next best thing in my opinion would be the RIRs
> since"
> >> a) They are not for profit.
> >> b) Are large enough to manage a regional DOH service.
> >> c) Are already handling reverse DNS.
> >>
> >> What do folks think?
>
>
> > On Jul 13, 2021, at 1:05 PM, Amreesh Phokeer <amreesh.phokeer at gmail.com>
> wrote:
> > Hi Laban,
> > Long time :)
> > a friend will tell you that you can use the quad9 doh service...but same
> problem, heh!
> > how about you setup your own DoH server? or you could ask your
> community-led IXP to do that for you, will save you a little RTT
> > https://github.com/DNSCrypt/dnscrypt-proxy
>
> Just to add a little to what Amreesh said, your concerns are very real,
> and exactly why we set up Quad9 in the first place.  It’s not-for-profit,
> and we only use open-source, so we’re happy to show you what we’ve done.
> Or, if you want to use the servers we’ve been setting up, they’re
> back-to-back with the RIR authoritative servers, so give very good
> performance (and no intervening MITM attack surface) for those domains, as
> well as the 130 ccTLDs that PCH hosts, again back-to-back with the Quad9
> servers.  And if you’d like PCH/Quad9 servers at your local IXP, and
> they’re not already there, just let Sara or Nishal or me know, and we’ll
> get that in queue.
>
> There’s also ODoH, if you want to go one step further…  Apple’s
> implementation will work at least on MacOS, iOS, and Windows, though I
> don’t know if there’s a Linux/Unix client available.  Note, though, that
> ODoH uses ingress and egress nodes, like Tor, and Apple supplies the
> ingress nodes, and there are a fixed set of egress providers, so you’d want
> to make sure to specify an egress provider you trust… ODoH provides _no_
> anonymity if the egress provider is also a CDN that sees any of your
> authenticated/unencrypted traffic.
>
>                                 -Bill
>
> Thanks Bill/Amreesh,

 Will give this a shot and see how it works out.

Cheers,
Laban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20210714/2a81dfdb/attachment-0001.html>


More information about the afnog mailing list