RE: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

["Keith Medcalf" <kmedcalf () dessus com>]

For efficiency of censorship.  If you want to stop some domain name from resolving you have to get everyone on the 
planet to block that DNS resolution in their recursive resolver.  However, if everyone uses the same single DNS server 
operated by a single entity, then you only have to coerce that one entity to block resolution of that DNS name.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.

> -----Original Message-----
> From: NANOG <nanog-bounces () nanog org> On Behalf Of Mike Hammett
> Sent: Wednesday, 18 September, 2019 08:19
> To: Jeroen Massar <jeroen () massar ch>
> Cc: NANOG <nanog () nanog org>
> Subject: Re: DNS Recursive Operators: Please enable QNAME minimization
> (RFC7816) for the enhanced privacy of your users
>
> Why on Earth would anyone want that (Firefox deciding to do it's own DNS)
> as default behavior?
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
> ________________________________
>
> From: "Jeroen Massar" <jeroen () massar ch>
> To: "NANOG" <nanog () nanog org>
> Sent: Wednesday, September 18, 2019 2:15:49 AM
> Subject: DNS Recursive Operators: Please enable QNAME minimization
> (RFC7816) for the enhanced privacy of your users
>
> Hi Folks,
>
> While in the US soon all Firefox users will *NOT* use your DNS Recursives
> configured using DHCP anymore
> (NXDOMAIN use-application-dns.net to avoid that[1]).
> Next to that, it seems some of the root operators are now creating
> instances in the same networks that offer these kind of services for
> globally figuring out what queries are being made.
>
>
> For those that thus either opt-out or otherwise want to use their own
> system resolvers, I suggest that all that run
> DNS Recursive setups enable "QNAME minimization" as defined in
> (experimental) RFC7816 [2]
>
> For pdns "qname-minimization=yes" [6]
> For unbound "qname­-minimisation: yes" [5]
> For BIND "qname-minimization" option [3] and [4]
>
> Of course, do also provider your users with the option of using DoT or
> even DoH on your recursors...
>
> Noting that DoH operators are supposed to enable RFC7816 also [7], guess
> they do not want others to see all the details they get...
>
> Some more details in DNS Privacy Wiki [8]...
>
> Discuss! :)
>
> Greets,
> Jeroen
>
>
> [1] https://support.mozilla.org/en-US/kb/configuring-networks-disable-
> dns-over-https
> [2] https://tools.ietf.org/html/rfc7816
> [3] https://www.isc.org/blogs/qname-minimization-and-privacy/
> [4] https://gitlab.isc.org/isc-projects/bind9/issues/16
> [5]
> https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf
> [6] https://github.com/PowerDNS/pdns/issues/2311
> [7] https://wiki.mozilla.org/Security/DOH-resolver-policy
> [8] https://dnsprivacy.org/wiki/