From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Mon, 10 Dec 2018 12:30:03 +0100 Message-ID: In-Reply-To: <16BD8EAB-1985-486B-B6F4-766C3093EE38@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5615886671235642440==" List-Id: --===============5615886671235642440== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Am Montag, den 10.12.2018, 00:21 +0000 schrieb Michael Tremer: > I did not understand what the news is here, the main news for me was that i=C2=B4 ve build knot (kdig) and a deeper look into the whole DNS-over-TLS subject and a debugging in general of DoT is now better possible. The next news was that i wrote a script which checks the configured DoT servers via kdig for a better overview which servers are reliable. Since i do not use Quad9 nor Cloudflair which are currently the only one to my knowledge that are not outlined as not experimental) --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers public resolvers i wanted to check what=C2=B4s going on with all the experime= ntal ones -->=20 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers#DNSPrivacyTes= tServers-DoTservers therefor this step was important for me and i decided to share it here with y= ou. Have update also the DoT configuration file to now 12 DNS test servers which = worked now since ~ 2 weeks without problems. Needed also to throw some others out which causes= problems since some certificate where not trustworthy or DNSSEC validation doesn=C2=B4= t worked. May you ask yourself why on earth 12 DNS servers ? Well, another testing fiel= d for me is not only encryption in that topic but also randomization --> https://www.monperrus.net/martin/randomization-encryption-dns-requests --> https://www.ctrl.blog/entry/kresd-random-dns-forwarding which unbound offers via 'rrset-roundrobin: yes' as a default value on IPFire but along my testings i could figure out that it only works with DoT n= ot with=20 regular DNS, for reference test see here --> https://forum.ipfire.org/viewtopic.php?f=3D6&t=3D21866#p120276 This are currently my main news, but there is more which i wrote in the forum but also on Gitlab in the README. > but please try to keep the conversation on the list when it has > started there. I do not regularly read the forums. Yes i know and will do this too but as ever i try to invite the community also via forum to go for testings/sharing_information which, also as usual, do not works very well. Best, Erik >=20 > -Michael >=20 > > On 9 Dec 2018, at 20:08, ummeegge wrote: > >=20 > > Hi all, > > some news in this topic can be found in here -->=20 > > https://forum.ipfire.org/viewtopic.php?f=3D50&p=3D120997#p120997 > >=20 > > Best, > >=20 > > Erik > >=20 >=20 >=20 --===============5615886671235642440==--