Hello,
We are seeing more DNSSEC all the way to the desktop, thanks to NLnet
Labs products like libunbound and GetDNS. Hooray!
What I am wondering is, if this also resolves all issues relating to
NAT/firewall traversal of DNS. Quite a few CPE boxes are known to
mangle DNS traffic under their default settings, and I am not sure if
this is only the case when passing through their builtin DNS proxy
service, or also when someone addresses port 53 (UDP, TCP, or both).
This matter of CPE mangling also comes up in relation to new RRtypes
that might be added to DNS; I wonder if that would be resolved by
local-machine recursive resolvers.
What is the experience with users and of NLnet Labs with CPE traversal
by recursive resolvers?
Thanks,
-Rick
DNSSEC detects and blocks mangling, it does not bypass it. If your CPE or
your ISP are lying to you, and you need to access the sites they are lying
about, your only option is to use a different upstream resolver; you might
also have to use a tunnel.
Tony.
Hi Tony / list,
DNSSEC detects and blocks mangling, it does not bypass it.
Thanks, I know.
What I am wondering is if the approach of recursive resolution, not explicitly going through the CPE, suffices to avoid mangling. The CPE *could* still force control over DNS traffic on account of target port 53, and I am wondering if this happens.
-Rick
a message of 9 lines which said:
What I am wondering is if the approach of recursive resolution, not
explicitly going through the CPE, suffices to avoid mangling. The
CPE *could* still force control over DNS traffic on account of
target port 53, and I am wondering if this happens.
Yes. In China, for instance, it is quite common. Also, port 53 is
sometimes blocked. In these cases, the only solution is to reach the
upstream resolver through DNS-over-TLS (Unbound supports it) or your
VPN.