Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qname minimisation #2311

Closed
bortzmeyer opened this issue Mar 4, 2015 · 27 comments
Closed

Qname minimisation #2311

bortzmeyer opened this issue Mar 4, 2015 · 27 comments

Comments

@bortzmeyer
Copy link

@bortzmeyer bortzmeyer commented Mar 4, 2015

It would be nice to have an implementation of qname minimisation http://datatracker.ietf.org/doc/draft-ietf-dnsop-qname-minimisation/ in PowerDNS Recursor. It would allow to perform quantitative tests (such as differences in the number of packets sent to authoritative name servers) on this technique, thus allowing to discuss the draft with actual facts.

To gain experience, and to be able to assert with absolute certainty that qname minimization works, it would be great to have a widely used DNS resolver implement it.

Since the intended status for the Internet-Draft is "experimental", a compilation option (with default off) would be enough. (By the way, why there is currently zero compilation options in the recursor ?)

@ahupowerdns
Copy link
Contributor

@ahupowerdns ahupowerdns commented Mar 4, 2015

Hi Stephane,

This almost fits into what the Lua preoutquery hook can do, and perhaps that would be a great place to experiment with this feature. Currently preoutquery can only block a query to auth servers, but with a little bit of work it could be made to modify such queries. postoutquery could then restore things perhaps.

We'll be looking into it.

@Habbie
Copy link
Member

@Habbie Habbie commented Mar 4, 2015

(As for the secondary question, we do have a compilation option - whether or not you want Lua, and if so, where it lives. We don't have any other compilation options because so far we've managed to make everything configurable at runtime or startuptime.)

@pieterlexis pieterlexis added this to the rec-4.1.0 milestone Dec 15, 2015
@ahupowerdns ahupowerdns removed this from the rec-4.1.0 milestone Feb 20, 2017
@Habbie Habbie added this to the rec-helpneeded milestone Mar 7, 2017
@johnhtodd
Copy link

@johnhtodd johnhtodd commented May 3, 2017

We (PCH) are interested in qname minimization for our recursive resolver array, which partially uses powerdns recursor. Since we serve a set of clients with a charter of privacy, it seems that qname minimization serves that interest by hiding the full query from resolvers that have no need to see it. We can put some funding towards this work.

@bortzmeyer
Copy link
Author

@bortzmeyer bortzmeyer commented May 5, 2017

By the way, since the opening of this issue, QNAME minimisation RFC has been published, RFC 7816.

@johnhtodd
Copy link

@johnhtodd johnhtodd commented Oct 11, 2017

Ping. Our PDNS resolvers are starting to look shabby when they are tested against the DNS-OARC "Test My DNS" page - they only have "QNAME Minimization" as the only failure test. While I believe this should be implemented for privacy reasons, sometimes it takes a bit of publicity in comparison to other resolvers to encourage a patch. :-) https://cmdns.dev.dns-oarc.net/

@mnordhoff
Copy link
Contributor

@mnordhoff mnordhoff commented Jan 10, 2018

I'm not sure how consistent that is with Unbound's current implementation. They use A queries now, for example.

@zeha
Copy link
Collaborator

@zeha zeha commented Feb 5, 2018

Wild idea from a few days ago: use public suffix list to determine which outqueries should undergo qname minimization. If infra would be there to do this in preoutquery, even better.

@bortzmeyer
Copy link
Author

@bortzmeyer bortzmeyer commented Feb 5, 2018

@zeha Strong NO. The Public Suffix List is outdated (because it is not maintained by the domain name holders), and stops mostly at the second level. Also, QNAME minimisation is a DNS thing and should not rely on non-DNS resources.

@zeha
Copy link
Collaborator

@zeha zeha commented Feb 5, 2018

@bortzmeyer I'll just comment on PSL being outdated: it does get updates, see https://github.com/publicsuffix/list/commits/master - is there anything specifically outdated?

@alarig
Copy link

@alarig alarig commented Mar 2, 2019

Ping. Is it planned to be implemented?
For the moment, PowerDNS sends the complete query to all the NSes, which is big lack of privacy:
14:17:52.957787 IP resolver02.grifon.fr.28336 > k.gtld-servers.net.domain: 16627 [1au] A? shavar.services.mozilla.com. (56)

@ahupowerdns
Copy link
Contributor

@ahupowerdns ahupowerdns commented Mar 2, 2019

Yes it is planned and will happen this year (2019).

@paddg
Copy link
Contributor

@paddg paddg commented Apr 11, 2019

Strangely enough, QNAME Minimization is part of the "Mozilla Policy Requirements for DNS over HTTPs Partners".

@bortzmeyer
Copy link
Author

@bortzmeyer bortzmeyer commented Apr 11, 2019

@paddg Why "strangely"? It is perfectly reasonable for Mozilla to ask this. I concur.

@paddg
Copy link
Contributor

@paddg paddg commented Apr 11, 2019

@bortzmeyer Because I'm not aware that it is widespread. Only 1111 offers it. Good move, I'd say.

@bortzmeyer
Copy link
Author

@bortzmeyer bortzmeyer commented Apr 11, 2019

@paddg No, certainly not "only 1.1.1.1". Unbound, Knot (the software behind 1.1.1.1) and BIND have QNAME minimisation. Among free sofwtare, PowerDNS is the only one missing.

@paddg
Copy link
Contributor

@paddg paddg commented Apr 11, 2019

@bortzmeyer Yes I know. But I meant it is not widespread among the public DNS Resolver services.

@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jun 15, 2019

@pieterlexis
Copy link
Member

@pieterlexis pieterlexis commented Jun 18, 2019

First version has been merged to master in #7757

@maznu
Copy link

@maznu maznu commented Jul 5, 2019

Strangely enough, QNAME Minimization is part of the "Mozilla Policy Requirements for DNS over HTTPs Partners".

Am looking forward to being able to try this out, as we are tentatively considering doing something with Mozilla. Thank you, @pieterlexis!

maznu referenced this issue in DNSCrypt/dnscrypt-resolvers Jul 5, 2019
@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jul 8, 2019

If you want, you can run the master branch builds found in https://repo.powerdns.com; these already contain the qname minimization code I committed last month. Feedback is very welcome.

@crami
Copy link

@crami crami commented Aug 14, 2019

just tried installing pdns-recursor_4.2.0~rc1%2Bmaster.581.gda24df4ac-1pdns.stretch_amd64.deb from stretch-rec-master which was built this morning. But it looks like that is not containing your code.

@Habbie
Copy link
Member

@Habbie Habbie commented Aug 14, 2019

But it looks like that is not containing your code.

It really should, please check again..

@crami
Copy link

@crami crami commented Aug 15, 2019

Ok, I tried it again, but is stills seams not to do anything. What I did:
apt install pdns-recursor=4.2.0~rc1+master.585.gcff66f2dc-1pdns.stretch
as I had to downgrade from 4.2.0-1.
Then did a tcpdump to verify outgoing queries:

07:28:52.266657 IP 193.5.68.65.30064 > ns3.afrinic.net.domain: 9602 [1au] PTR? 208.118.246.194.in-addr.arpa. (57)
07:28:52.280656 IP 193.5.68.65.56007 > ns2.as8758.net.domain: 10980 [1au] PTR? 208.118.246.194.in-addr.arpa. (57)

the first query should have ben minimized in my opinion.

Also https://cmdns.dev.dns-oarc.net/ says qname minimisation is not done

@Habbie
Copy link
Member

@Habbie Habbie commented Aug 15, 2019

You do need to enable the feature (qname-minimization=yes).

We are discussing on a closed ticket; for further help, please find us on IRC or the mailing lists

@crami
Copy link

@crami crami commented Aug 15, 2019

For everyone ending up here... It works missing piece was adding
qname-minimization=yes
to recursor.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet