FS#747 - default dns service doesn't provide qname minimization

aparcar / openwrt

Staging tree of Paul Spooren

Other

8 stars 1 forks source link

FS#747 - default dns service doesn't provide qname minimization #713

Open aparcar opened 7 years ago

aparcar commented 7 years ago

dsvensson:

Supply the following if possible:

Device problem occurs on

All

Software versions of LEDE release, packages, etc.

All

Steps to reproduce

Perform a DNS resolution

qname minimization reduces the amount of information to sent via each lookup, this is to my knowledge not supported by dnsmasq which is the default DNS resolver in LEDE. It would be nice if support was added to it, or if it was replaced by some other name server that tries to reduce the amount of information leaked to foreign servers.

The spec: https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-09

Unbound plugs this leak, does it lack anything that LEDE uses?

aparcar commented 7 years ago

dsvensson:

The point here is being privacy friendly by default, rather than requiring users to install unbound on their own.

aparcar commented 7 years ago

EricLuehrsen:

qname minimization is only meaningful with recursion. stub resolving just sends to a few resolvers anyway. dnsmasq is default and it is consistent in behavior to OEM as sold. This makes the transition smoother for some. Its easier on bandwidth for those with poor connections.

As a the Unbound package maintainer I am sympethetic to [your,similar] goals. This is why I have put in so much effort to add its UCI in the last months. With odhcpd you even get similar local dns behavior to dnsmasq. However this is only recent work. I still consider it a optional package. I would not expect core group acceptance of whole sale replacement for awhile.

aparcar commented 7 years ago

dsvensson:

Thanks for the update. Should this issue remain open until awhile has passed, or closed for now?

aparcar commented 7 years ago

EricLuehrsen:

The clock for "Awhile" may not be turning yet. There are technical concerns as well. Example implementation, odhcpd cannot do tftp for network boot. Example use case, recursion (Unbound) should only be at the gateway and stub resolving (dnsmasq) should occur in subnets. Example politics, consumer privacy is legally protected better some places and permitts a level of trust with ISP DNS.