nanog mailing list archives

Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

From: Jeroen Massar <jeroen () massar ch>
Date: Wed, 18 Sep 2019 12:51:53 +0200

On 2019-09-18 12:24, Brian J. Murrell wrote:

On Wed, 2019-09-18 at 09:15 +0200, Jeroen Massar wrote:

Hi Folks,

Hi.

While in the US soon all Firefox users will *NOT* use your DNS
Recursives configured using DHCP anymore
(NXDOMAIN use-application-dns.net to avoid that[1]).


What am I misunderstanding?  Isn't use-application-dns.net supposed to
return A results until "defeated"?  I have not configured my own DNS
server to NXDOMAIN that yet, however:

That just means that somebody broke that setup as it worked last week and was pointing to Github Pages serving:

https://github.com/agrover/global-canary/

Maybe Google does not want Mozilla/CloudFlare to get all the DoH queries? :)
Nah likely just a failure somewhere, as both are supported heavily by Google (if there was no competition then Google
would truly have a monopoly in the browser market and that would be bad, at least with them funding Mozilla and CF
through the backdoor it looks like it isn't a monopoly as there "is that other thing")

There is a little thread about that domain here on dns-operations:
https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019179.html

Currently though:

use-application-dns.net. 172800 IN NS ns-cloud-b1.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b2.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b3.googledomains.com.
use-application-dns.net. 172800 IN NS ns-cloud-b4.googledomains.com.

$ dig @ns-cloud-b1.googledomains.com. use-application-dns.net. a
[..]
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21669
...

that is from my test host, but of course, from my other hosts it nicely NXDOMAINs.... but those hosts also route
1.1.1.1/8.8.8.8/8.8.4.4 and the IPv6 equivalents and many other such IPs (OpenDNS, etc and even root servers) to the
local anycasted edition.... cause I don't want that in my networks.

Then again, as that makes me not a sheep, I am likely more visible anyway...[1]

Greets,
Jeroen

[1] https://jeroen.massar.ch/presentations/vid/27C3-JeroenMassar-HowTheInternetSeesYou/

Current thread:

DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Jeroen Massar (Sep 18)
- Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Brian J. Murrell (Sep 18)
  - Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Jeroen Massar (Sep 18)
    - Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users John Levine (Sep 18)
- Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Mike Hammett (Sep 18)
  - Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Matt Corallo (Sep 18)
  - RE: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Keith Medcalf (Sep 18)
  - Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users Curtis Maurand (Sep 27)