Testing DNS-over-TLS support?
DNS-over-TLS (RFC 7858) is important for privacy but, today, few DNS resolvers support it. It would be interesting to measure if this is changing, but the probes do not seem to be able to query their resolver with TLS over port 853. (Also, I seem to remember that old probes do not have a full TLS implementation.) It is not just a matter of encrypting the data, it's also an authentication issue (Google Public DNS was already impersonated <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>) So, how about adding a 'use_tls': True after 'use_probe_resolver': True?
Hi Stephane, On 2017/03/01 1:13 , Stephane Bortzmeyer wrote:
DNS-over-TLS (RFC 7858) is important for privacy but, today, few DNS resolvers support it. It would be interesting to measure if this is changing, but the probes do not seem to be able to query their resolver with TLS over port 853. (Also, I seem to remember that old probes do not have a full TLS implementation.)
What works today is the sslgetcert measurement and traceroute with tcp. That should give some idea about how often 853 is blocked. At the moment, no probes have a full tls implementation (in the measurement code).
So, how about adding a 'use_tls': True after 'use_probe_resolver': True?
That makes sense, but there are a lot of things to do wrt probe code. Philip
On Wed, Mar 01, 2017 at 01:52:04PM +0100, Philip Homburg <philip.homburg@ripe.net> wrote a message of 22 lines which said:
What works today is the sslgetcert measurement
I never noticed that it was possible to indicate the port, thanks. <https://atlas.ripe.net/docs/api/v2/reference/#!/measurements/Sslcert_Type_Measurement_List_POST> % python cert.py -v --issuer -r 500 --port 853 80.67.188.188 {'definitions': [{'target': '80.67.188.188', 'af': 4, 'is_oneoff': True, 'type': 'sslcert', 'port': 853, 'description': 'X.509 cert of 80.67.188.188 from the whole world'}], 'probes': [{'requested': 500, 'type': 'area', 'value': 'WW'}]} Measurement #7862817 to 80.67.188.188 uses 500 probes 497 probes reported [<X509Name object '/C=NL/L=Amsterdam/O=OCOM/OU=Security/CN=untrusted/emailAddress=security@leaseweb.com'>] : 1 occurrences [FAILED TO GET A CERT: connect: timeout] : 2 occurrences [FAILED TO GET A CERT: timeout reading hello] : 69 occurrences [<X509Name object '/C=FR/ST=Some-State/O=LDN/CN=80.67.188.188'>] : 425 occurrences Test #7862817 done at 2017-03-10T09:55:55Z It seems to indicate there is *some* filtering of port 853. (It is not a network issue since testing with the same probes shows a complete success: % atlas-reach --old_measurement 7862817 80.67.188.188 495 probes reported Test #7862825 done at 2017-03-10T09:57:19Z Tests: 1484 successful tests (100.0 %), 0 errors (0.0 %), 0 timeouts (0.0 %), average RTT: 74 ms
participants (2)
-
Philip Homburg -
Stephane Bortzmeyer