DigitaleGesellschaft / DNS-Resolver

Configuration files of our DoT and DoH servers
129 stars 20 forks source link

Get green in Project dnsprivacy-monitoring #15

Open ryru opened 3 years ago

ryru commented 3 years ago

Our secure DNS resolvers are automatically tested to various DNS related tests by the dnsprivacy-monitoring project. Some tests although fail. More research and even configuration changes are required for:

  1. TLS 443: "Does the server answer DNS queries over TLS on port 443 with no SNI sent?"
  2. Strict Name 443: "Does the server pass Strict authentication using the authentication domain name only on 443 (some operators require an SNI on 443 to defend against attacks)?"
  3. Keepalive => The edns-tcp-keepalive EDNS0 Option RFC7828
  4. Padding => The EDNS(0) Padding Option [7830](https://datatracker.ietf.org/doc/rfc7830
  5. OOOR: "Does the server give Out Of Order Responses (Experimental, may give false negatives)?"
ryru commented 3 years ago

Current state:

  1. No, currently not. Why would that be desirable?
  2. No, currently not. Why would that be desirable?
  3. In my understanding this makes sense, if client and DNS resolver have a direct TCP connection. In our case nginx serves as reverse proxy. nginx does not understand keepalive within DNS messages so from my point of view, this config (edns-tcp-keepalive) seems useless.
  4. This would result in more bandwidth consumption. Further one could also configure padding for TLS. What would be the benefits of either configuration?