DNS-over-TLS and DNS-over-HTTPS measurement
Hello, could you share plans for DNS-over-TLS and DNS-over-HTTPS measurements? I had impression that DNS-over-TLS is already supported but now I cannot find it in the UI so I'm probably wrong. Thank you for information! -- Petr Špaček @ CZ.NIC
On Mon, Apr 08, 2019 at 04:36:37PM +0200, Petr Špaček <petr.spacek@nic.cz> wrote a message of 11 lines which said:
could you share plans for DNS-over-TLS and DNS-over-HTTPS measurements?
I had impression that DNS-over-TLS is already supported but now I cannot find it in the UI so I'm probably wrong.
DNS-over-TLS works for me: % blaeu-resolve --verbose --nameserver 9.9.9.9 --tls nic.cz Blaeu version 1.1.4 {'is_oneoff': True, 'definitions': [{'description': 'DNS resolution of nic.cz/AAAA via nameserver 9.9.9.9', 'af': 4, 'type': 'dns', 'query_argument': 'nic.cz', 'query_class': 'IN', 'query_type': 'AAAA', 'set_rd_bit': True, 'tls': True, 'protocol': 'TCP', 'use_probe_resolver': False, 'target': '9.9.9.9'}], 'probes': [{'requested': 5, 'type': 'area', 'value': 'WW', 'tags': {'include': ['system-ipv4-works']}}]} Measurement #20617896 for nic.cz/AAAA uses 5 probes Nameserver 9.9.9.9 [2001:1488:0:3::2] : 5 occurrences Test #20617896 done at 2019-04-08T14:45:31Z (Note the 'tls': True in the JSON)
Thank you, I will have a look. I must have missed DoT in the UI and API docs. Anyway, are there plans for supporting DNS-over-HTTPS? Petr Špaček @ CZ.NIC On 08. 04. 19 16:47, Stephane Bortzmeyer wrote:
On Mon, Apr 08, 2019 at 04:36:37PM +0200, Petr Špaček <petr.spacek@nic.cz> wrote a message of 11 lines which said:
could you share plans for DNS-over-TLS and DNS-over-HTTPS measurements?
I had impression that DNS-over-TLS is already supported but now I cannot find it in the UI so I'm probably wrong.
DNS-over-TLS works for me:
% blaeu-resolve --verbose --nameserver 9.9.9.9 --tls nic.cz Blaeu version 1.1.4 {'is_oneoff': True, 'definitions': [{'description': 'DNS resolution of nic.cz/AAAA via nameserver 9.9.9.9', 'af': 4, 'type': 'dns', 'query_argument': 'nic.cz', 'query_class': 'IN', 'query_type': 'AAAA', 'set_rd_bit': True, 'tls': True, 'protocol': 'TCP', 'use_probe_resolver': False, 'target': '9.9.9.9'}], 'probes': [{'requested': 5, 'type': 'area', 'value': 'WW', 'tags': {'include': ['system-ipv4-works']}}]} Measurement #20617896 for nic.cz/AAAA uses 5 probes Nameserver 9.9.9.9 [2001:1488:0:3::2] : 5 occurrences Test #20617896 done at 2019-04-08T14:45:31Z
(Note the 'tls': True in the JSON)
On 2019/04/08 17:04 , Petr Špaček wrote:
Anyway, are there plans for supporting DNS-over-HTTPS?
Hi Petr, A couple of years ago we created a policy regarding HTTP measurements on RIPE Atlas. The concern was that probe hosts located in certain countries could get into trouble should their probes try to reach certain HTTP targets. So it was decided at the time that since these measurements do not add much to the goal of RIPE Atlas, which is to measure the Internet as a network and not the higher level protocols that run on top of it, we restricted HTTP measurements such that they are only able to target RIPE Atlas anchors. Obviously there are benefits in measuring DNS-over-HTTPS. However, the risk for probe hosts in certain countries remains the same. For this reason, although we would be open to the creation of a new policy should there be sufficient interest from the community, there are no plans to support DNS-over-HTTPS until such a policy is in place. Philip
participants (3)
-
Petr Špaček -
Philip Homburg -
Stephane Bortzmeyer