Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope associated resolvers to a zone #7

Open
kontaxis opened this issue Apr 11, 2019 · 3 comments
Open

Scope associated resolvers to a zone #7

kontaxis opened this issue Apr 11, 2019 · 3 comments

Comments

@kontaxis
Copy link

Some of the use cases in this draft are:

  • names that are only resolvable in the local context (or split-horizon situations)
  • (local) policies such as malware prevention

It would be useful if the OS-configured resolver could specify that:

  • DoH resolver x.y.z.w should used for .company-domain.com. (split-horizon)
  • DoH resolver k.l.m.n must not be used for .company-domain.com. (to avoid leaking names)
  • DoH resolver a.b.c.d. can be used for everything

DoH servers from HTTPS

{ "associated-resolvers":
    [
        { "resolver": "https://x.y.z.w/dns-query{?dns}",
           "+zones": [ "company-domain.com", "company-domain.net" ]
        },
        { "resolver": "https://k.l.m.n/a/b/c/dns-query{?dns}",
           "-zones": [ "company-domain.com", "company-domain.net". ]
        },
        { "resolver": "https://a.b.c.d/a/b/c/dns-query{?dns}",
        },
    ]
}

DoH servers from DNS

$ORIGIN resolver-associated-doh.arpa.   
 IN TXT "https://x.y.z.w/dns-query{?dns} +zones:company-domain.com,company-domain.net" 
 IN TXT "https://k.l.m.n/a/b/c/dns-query{?dns} -zones:company-domain.com,company-domain.net"
 IN TXT "https://a.b.c.d/a/b/c/dns-query{?dns}"

Thoughts?
@bemasc
Copy link

bemasc commented Apr 11, 2019

  • Terminology: I find the term "OS-configured" confusing here.
  • Process: This would be a significant change, worthy of discussion on the mailing list.
  • Substance: I'm not convinced that the syntax you've sketched achieves the goal you've proposed. The precise semantics of "+" and "-" are unclear. I suspect there's a more elegant solution, perhaps a decision tree represented as a JSON tree.

@kontaxis
Copy link
Author

kontaxis commented Apr 11, 2019
edited
Loading

By "OS-configured resolver" I mean the resolver the device has today as part of its system-wide network configuration for the particular interface. (Received over DHCP or manually set by a human operator)
I'm open to using a better term of course.

The idea is that "+" forms a whitelist and "-" forms a blacklist.
If either is present then all names must be matched against the list.
If both are present then the blacklist takes precedence. (I just thought of that)
If a match is found then depending on the type of list the corresponding action is taken: use this resolver or move on to the next (or fail if there is no next)

@bemasc
Copy link

bemasc commented Apr 11, 2019

Feel free to propose this to the mailing list. However, I don't recall any mention of a use case that would motivate this design. In particular, neither of the two use cases requires this kind of client-side server selection. These use cases are typically served by a single customized recursive resolver that has hardcoded answers (or blocks) for some queries. To motivate this design, you would need to explain why the traditional approach is insufficient or undesirable.

Personally, I don't see much value in splitting one server into multiple servers, and then transferring the logic of which server to use to the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bemasc @kontaxis