|
|
Subscribe / Log in / New account

Fedora and fallback DNS servers

Fedora and fallback DNS servers

Posted Feb 26, 2021 7:25 UTC (Fri) by tialaramex (subscriber, #21167)
In reply to: Fedora and fallback DNS servers by patrakov
Parent article: Fedora and fallback DNS servers

1.1.1.1 and 8.8.8.8 and similar aren't "effectively owned by someone else". ISPs (of their own accord or by government mandate) could decide to blackhole these addresses but they can't impersonate then because the underlying services offer TLS and of course have certificates for their own names.

Apparently everybody in this thread pays a lot of attention to their DNS configuration and so I'm sure everybody here is using TLS right?

The British government's old white paper (before it was repeatedly back burnered and effectively scrapped) described DNS based filtering censorship as the practical way forward. I remember reading it at the same time IETF 101 London happened, I remember because of the irony.

At that point what is now "Encrypted Client Hello" was only a napkin sketch, but DPRIV and TLS 1.3 were essentially done. DNS-based filtering was thus a dead man walking. Fast forward three years, it's irrelevant. If your teenager wants to read Oglaf then an ISP filter won't stop them.

to post comments

Fedora and fallback DNS servers

Posted Feb 26, 2021 13:34 UTC (Fri) by dskoll (subscriber, #1630) [Link] (6 responses)

I'm intrigued as to how you run DNS over UDP port 53 with TLS. Please enlighten...

Sure, there's DNSSec, but it's not widely used at all.

Fedora and fallback DNS servers

Posted Feb 26, 2021 17:00 UTC (Fri) by johannbg (guest, #65743) [Link] (5 responses)

Hmm hardly used at all...

As far as I can tell DNSSEC usage is skyrocketing...

https://stats.dnssec-tools.org/

Fedora and fallback DNS servers

Posted Feb 26, 2021 18:02 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Several large cloud hosting providers started offering DNSSEC last year.

Fedora and fallback DNS servers

Posted Feb 26, 2021 19:14 UTC (Fri) by dskoll (subscriber, #1630) [Link] (3 responses)

What percentage of domains (not TLDs, actual registered domains) use DNSSec? I suspect it's under 5%. A quick check shows no DS records for biggies like google.com, microsoft.com, facebook.com, amazon.com, netflix.com, apple.com or oracle.com. There is one for whitehouse.gov, though, which is good.

Fedora and fallback DNS servers

Posted Feb 26, 2021 19:56 UTC (Fri) by johannbg (guest, #65743) [Link] (2 responses)

The "biggies" are always the last to change given the complexity of their infrastructure & bureaucracy.

Given the rate how fast this is being adopted, now that cloud providers offer it, I'm pretty sure Microsoft will have completed their adoption atleast for the Office 365 platform by the end of this year.

NIST provides statistics on IPv6 and DNSSEC adoption within the US government here [1].

1. https://fedv6-deployment.antd.nist.gov/

Fedora and fallback DNS servers

Posted Feb 28, 2021 19:01 UTC (Sun) by dskoll (subscriber, #1630) [Link] (1 responses)

Thanks for the link. As this page shows, DNSSEC adoption is very limited.

Fedora and fallback DNS servers

Posted Feb 28, 2021 19:59 UTC (Sun) by johannbg (guest, #65743) [Link]

Among their sample atleast and as you can see both Debian and FreeBSD are doing better job than Fedora in that measurement and Fedora is just slightly better than RH which is on par with Microsoft...


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds