Closed bortzmeyer closed 5 years ago
Hi Stephane,
This almost fits into what the Lua preoutquery hook can do, and perhaps that would be a great place to experiment with this feature. Currently preoutquery can only block a query to auth servers, but with a little bit of work it could be made to modify such queries. postoutquery could then restore things perhaps.
We'll be looking into it.
(As for the secondary question, we do have a compilation option - whether or not you want Lua, and if so, where it lives. We don't have any other compilation options because so far we've managed to make everything configurable at runtime or startuptime.)
We (PCH) are interested in qname minimization for our recursive resolver array, which partially uses powerdns recursor. Since we serve a set of clients with a charter of privacy, it seems that qname minimization serves that interest by hiding the full query from resolvers that have no need to see it. We can put some funding towards this work.
By the way, since the opening of this issue, QNAME minimisation RFC has been published, RFC 7816.
Nice simple explanation in article here: http://blog.erratasec.com/2017/08/query-name-minimization.html#.WZGidHopChA
Ping. Our PDNS resolvers are starting to look shabby when they are tested against the DNS-OARC "Test My DNS" page - they only have "QNAME Minimization" as the only failure test. While I believe this should be implemented for privacy reasons, sometimes it takes a bit of publicity in comparison to other resolvers to encourage a patch. :-) https://cmdns.dev.dns-oarc.net/
I'm not sure how consistent that is with Unbound's current implementation. They use A
queries now, for example.
Wild idea from a few days ago: use public suffix list to determine which outqueries should undergo qname minimization. If infra would be there to do this in preoutquery, even better.
@zeha Strong NO. The Public Suffix List is outdated (because it is not maintained by the domain name holders), and stops mostly at the second level. Also, QNAME minimisation is a DNS thing and should not rely on non-DNS resources.
@bortzmeyer I'll just comment on PSL being outdated: it does get updates, see https://github.com/publicsuffix/list/commits/master - is there anything specifically outdated?
Ping. Is it planned to be implemented? For the moment, PowerDNS sends the complete query to all the NSes, which is big lack of privacy: 14:17:52.957787 IP resolver02.grifon.fr.28336 > k.gtld-servers.net.domain: 16627 [1au] A? shavar.services.mozilla.com. (56)
Yes it is planned and will happen this year (2019).
Strangely enough, QNAME Minimization is part of the "Mozilla Policy Requirements for DNS over HTTPs Partners".
@paddg Why "strangely"? It is perfectly reasonable for Mozilla to ask this. I concur.
@bortzmeyer Because I'm not aware that it is widespread. Only 1111 offers it. Good move, I'd say.
@paddg No, certainly not "only 1.1.1.1". Unbound, Knot (the software behind 1.1.1.1) and BIND have QNAME minimisation. Among free sofwtare, PowerDNS is the only one missing.
@bortzmeyer Yes I know. But I meant it is not widespread among the public DNS Resolver services.
First version has been merged to master in #7757
Strangely enough, QNAME Minimization is part of the "Mozilla Policy Requirements for DNS over HTTPs Partners".
Am looking forward to being able to try this out, as we are tentatively considering doing something with Mozilla. Thank you, @pieterlexis!
If you want, you can run the master branch builds found in https://repo.powerdns.com; these already contain the qname minimization code I committed last month. Feedback is very welcome.
just tried installing pdns-recursor_4.2.0~rc1%2Bmaster.581.gda24df4ac-1pdns.stretch_amd64.deb from stretch-rec-master which was built this morning. But it looks like that is not containing your code.
But it looks like that is not containing your code.
It really should, please check again..
Ok, I tried it again, but is stills seams not to do anything. What I did:
apt install pdns-recursor=4.2.0~rc1+master.585.gcff66f2dc-1pdns.stretch
as I had to downgrade from 4.2.0-1.
Then did a tcpdump to verify outgoing queries:
07:28:52.266657 IP 193.5.68.65.30064 > ns3.afrinic.net.domain: 9602 [1au] PTR? 208.118.246.194.in-addr.arpa. (57)
07:28:52.280656 IP 193.5.68.65.56007 > ns2.as8758.net.domain: 10980 [1au] PTR? 208.118.246.194.in-addr.arpa. (57)
the first query should have ben minimized in my opinion.
Also https://cmdns.dev.dns-oarc.net/ says qname minimisation is not done
You do need to enable the feature (qname-minimization=yes
).
We are discussing on a closed ticket; for further help, please find us on IRC or the mailing lists
For everyone ending up here... It works missing piece was adding
qname-minimization=yes
to recursor.conf
It would be nice to have an implementation of qname minimisation http://datatracker.ietf.org/doc/draft-ietf-dnsop-qname-minimisation/ in PowerDNS Recursor. It would allow to perform quantitative tests (such as differences in the number of packets sent to authoritative name servers) on this technique, thus allowing to discuss the draft with actual facts.
To gain experience, and to be able to assert with absolute certainty that qname minimization works, it would be great to have a widely used DNS resolver implement it.
Since the intended status for the Internet-Draft is "experimental", a compilation option (with default off) would be enough. (By the way, why there is currently zero compilation options in the recursor ?)