Our secure DNS resolvers are automatically tested to various DNS related tests by the dnsprivacy-monitoring project. Some tests although fail. More research and even configuration changes are required for:
TLS 443: "Does the server answer DNS queries over TLS on port 443 with no SNI sent?"
Strict Name 443: "Does the server pass Strict authentication using the authentication domain name only on 443 (some operators require an SNI on 443 to defend against attacks)?"
Keepalive => The edns-tcp-keepalive EDNS0 Option RFC7828
In my understanding this makes sense, if client and DNS resolver have a direct TCP connection. In our case nginx serves as reverse proxy. nginx does not understand keepalive within DNS messages so from my point of view, this config (edns-tcp-keepalive) seems useless.
This would result in more bandwidth consumption. Further one could also configure padding for TLS. What would be the benefits of either configuration?
Our secure DNS resolvers are automatically tested to various DNS related tests by the dnsprivacy-monitoring project. Some tests although fail. More research and even configuration changes are required for: