# DNS over TLS Support and Implementation



## Maelstorm (Oct 2, 2019)

I was reading an article on Ars Technica about Why big ISPs aren’t happy about Google’s plans for encrypted DNS, and I was wondering if ISC-BIND would be supporting this, and if so, how to implement it?

Also, what are the thoughts of the community on this matter in general?  Personally, I think that more privacy on the internet is a good thing.


----------



## xtremae (Oct 2, 2019)

There is a related discussion here.


----------



## D-FENS (Oct 2, 2019)

This  is reportedly already supported with BIND: https://kb.isc.org/docs/aa-01386
That's probably what Google will be doing.


----------



## obsigna (Oct 2, 2019)

roccobaroccoSC said:


> This  is reportedly already supported with BIND: https://kb.isc.org/docs/aa-01386
> That's probably what Google will be doing.



DNS over TLS = DoT is different from DoH = DNS over HTTPS. The latter is done by the browser, bypassing any settings in the system, while the first is an extension to the system’s DNS. The concerns are about DoH.


----------



## msplsh (Oct 2, 2019)

You could do DoH in the system.  Browsers are enabling support to just bypass the system, however


----------



## msplsh (Oct 2, 2019)

In regards to encrypted DNS in general, it's only a good idea if the system does it.  It's possible for Chrome to run its own UDP DNS resolver, but I would expect that Google would like it if they could make DoH out of the browser and bypass any system, network, or other attempts to hijack their requests to stop tracking using NXDOMAIN.  They would probably spin it as "why would anybody want to impersonate us if they weren't attacking the user?" It's a double edged sword to let them hide their requests in with the system if both use DoH (you could just block it if the system used DoT (different port, different protocol) or normal DNS). You'd need a per-process firewall rule or something.

DoH in apps is a "trust no one" approach... including the user.


----------



## msplsh (Oct 2, 2019)

I went out for a walk and realized DoH is terrible because you can't even block per process, because you'd be blocking normal HTTPS.  I'm with Vixie on this, it's a terrible idea.  For people who say "oh dissidents need it" well ask them how well the MITM is working in Kazakhstan.  If we all standardize on DoT, then you can just use the social pressure of removing all legacy methods which will make blocking DoT impossible to "have internet."


----------



## D-FENS (Oct 3, 2019)

obsigna said:


> DNS over TLS = DoT is different from DoH = DNS over HTTPS. The latter is done by the browser, bypassing any settings in the system, while the first is an extension to the system’s DNS. The concerns are about DoH.


How am I supposed to configure my firewall for that? Bad idea.


----------



## obsigna (Oct 3, 2019)

roccobaroccoSC said:


> How am I supposed to configure my firewall for that? Bad idea.


Three things of your comment remain unclear, so I got more questions than answers:

Why is your comment stroked through?
For what do you want to configure your Firewall, DoT or DoH?
What is a bad idea, DoT, DoH, or configuring the Firewall?


----------



## D-FENS (Oct 3, 2019)

What I meant was, if my browser used HTTPS to ask for DNS, I would not be able to tell DNS traffic from HTTPS traffic in my firewall. But then I decided that this comment was not a good idea and I stroke it through.


----------

