These are chat archives for CZ-NIC/knot-resolver

13th
Feb 2018
Jörg Thalheim
@Mic92
Feb 13 2018 09:36
@vcunat OK. When I was young and naive I had a public DNS server running - until the hoster disconnected it from the internet. I thought about running a public DNS-over-tls server again, without marketing though. If dns-over-tls would have suffered from the same problems as plain dns, I would have looked into adding client certificates.
the gnutls interface looks much saner then the openssl one.
Vladimír Čunát
@vcunat
Feb 13 2018 10:16
Running public recursive servers, well... People wanting to attack authoritative servers can start sending queries to all public resolvers - that unavoidably results in high load on the authoritatives. One might also do the same without public resolvers, e.g. via botnets or misusing advertisement platforms, but if most resolvers were public, it would be easier.
Jörg Thalheim
@Mic92
Feb 13 2018 10:19
@vcunat so everybody should just use 9.9.9.9 instead?
Vladimír Čunát
@vcunat
Feb 13 2018 10:21
Speaking of this, there a few other public TLS services but probably none comparably big. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
I'm certainly no expert on this, but I think public resolvers that are carefully monitored pose smaller risks. (assuming attacks are actively mitigated in some ways)
Jörg Thalheim
@Mic92
Feb 13 2018 10:24
@vcunat I don't mind if my instance is not so public. I was just looking into how this could be achieved.
Vladimír Čunát
@vcunat
Feb 13 2018 10:25
Knot-resolver can't filter based on client certificates. It can do so based on IP address (hard to spoof for TCP/TLS, I think).
Jörg Thalheim
@Mic92
Feb 13 2018 10:26
@vcunat but should be easy to add, right? https://www.gnutls.org/manual/html_node/Client-Authentication.html
Vladimír Čunát
@vcunat
Feb 13 2018 10:27
Yes, I expect so.
Vladimír Čunát
@vcunat
Feb 13 2018 10:32
Related to this, Unbound has some *ratelimit* options (experimental?), which could limit at least some kinds of attacks.
Jörg Thalheim
@Mic92
Feb 13 2018 10:33
or dnsdist
Vladimír Čunát
@vcunat
Feb 13 2018 10:33
That's what Quad9 uses, reportedly.