Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qname minimisation #2311

Open
bortzmeyer opened this Issue Mar 4, 2015 · 13 comments

Comments

Projects
None yet
9 participants
@bortzmeyer
Copy link

bortzmeyer commented Mar 4, 2015

It would be nice to have an implementation of qname minimisation http://datatracker.ietf.org/doc/draft-ietf-dnsop-qname-minimisation/ in PowerDNS Recursor. It would allow to perform quantitative tests (such as differences in the number of packets sent to authoritative name servers) on this technique, thus allowing to discuss the draft with actual facts.

To gain experience, and to be able to assert with absolute certainty that qname minimization works, it would be great to have a widely used DNS resolver implement it.

Since the intended status for the Internet-Draft is "experimental", a compilation option (with default off) would be enough. (By the way, why there is currently zero compilation options in the recursor ?)

@ahupowerdns

This comment has been minimized.

Copy link
Member

ahupowerdns commented Mar 4, 2015

Hi Stephane,

This almost fits into what the Lua preoutquery hook can do, and perhaps that would be a great place to experiment with this feature. Currently preoutquery can only block a query to auth servers, but with a little bit of work it could be made to modify such queries. postoutquery could then restore things perhaps.

We'll be looking into it.

@Habbie

This comment has been minimized.

Copy link
Member

Habbie commented Mar 4, 2015

(As for the secondary question, we do have a compilation option - whether or not you want Lua, and if so, where it lives. We don't have any other compilation options because so far we've managed to make everything configurable at runtime or startuptime.)

@pieterlexis pieterlexis added this to the rec-4.1.0 milestone Dec 15, 2015

@ahupowerdns ahupowerdns removed this from the rec-4.1.0 milestone Feb 20, 2017

@Habbie Habbie added this to the rec-helpneeded milestone Mar 7, 2017

@johnhtodd

This comment has been minimized.

Copy link

johnhtodd commented May 3, 2017

We (PCH) are interested in qname minimization for our recursive resolver array, which partially uses powerdns recursor. Since we serve a set of clients with a charter of privacy, it seems that qname minimization serves that interest by hiding the full query from resolvers that have no need to see it. We can put some funding towards this work.

@bortzmeyer

This comment has been minimized.

Copy link
Author

bortzmeyer commented May 5, 2017

By the way, since the opening of this issue, QNAME minimisation RFC has been published, RFC 7816.

@MikeSchroll

This comment has been minimized.

Copy link

MikeSchroll commented Aug 14, 2017

@johnhtodd

This comment has been minimized.

Copy link

johnhtodd commented Oct 11, 2017

Ping. Our PDNS resolvers are starting to look shabby when they are tested against the DNS-OARC "Test My DNS" page - they only have "QNAME Minimization" as the only failure test. While I believe this should be implemented for privacy reasons, sometimes it takes a bit of publicity in comparison to other resolvers to encourage a patch. :-) https://cmdns.dev.dns-oarc.net/

@zeha

This comment has been minimized.

@mnordhoff

This comment has been minimized.

Copy link
Contributor

mnordhoff commented Jan 10, 2018

I'm not sure how consistent that is with Unbound's current implementation. They use A queries now, for example.

@zeha

This comment has been minimized.

Copy link
Collaborator

zeha commented Feb 5, 2018

Wild idea from a few days ago: use public suffix list to determine which outqueries should undergo qname minimization. If infra would be there to do this in preoutquery, even better.

@bortzmeyer

This comment has been minimized.

Copy link
Author

bortzmeyer commented Feb 5, 2018

@zeha Strong NO. The Public Suffix List is outdated (because it is not maintained by the domain name holders), and stops mostly at the second level. Also, QNAME minimisation is a DNS thing and should not rely on non-DNS resources.

@zeha

This comment has been minimized.

Copy link
Collaborator

zeha commented Feb 5, 2018

@bortzmeyer I'll just comment on PSL being outdated: it does get updates, see https://github.com/publicsuffix/list/commits/master - is there anything specifically outdated?

@alarig

This comment has been minimized.

Copy link

alarig commented Mar 2, 2019

Ping. Is it planned to be implemented?
For the moment, PowerDNS sends the complete query to all the NSes, which is big lack of privacy:
14:17:52.957787 IP resolver02.grifon.fr.28336 > k.gtld-servers.net.domain: 16627 [1au] A? shavar.services.mozilla.com. (56)

@ahupowerdns

This comment has been minimized.

Copy link
Member

ahupowerdns commented Mar 2, 2019

Yes it is planned and will happen this year (2019).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.