Project

General

Profile

Actions

Feature #8028

closed

Unbound: Add advanced option for qname-minimization

Added by Mathew Keith over 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
10/30/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Add support for qname-minimization and maybe qname-minimisation-strict.

This can be implemented in two ways, depending on if only qname-minimization or both qname-minimization-strict is implemented.

1) Only qname-minimization:

Add a checkbox to the Advanced settings:
Label: aname Minimization
Description: Send minimum amount of information to upstream servers to
enhance privacy. Best effort.

If checked, add the following to unbound's config:
qname-minimisation: yes

2) Both qname-minimization and qname-minimization-strict.

Add a dropdown to the Advanced settings
Label: qname mimization
Dropdown options:
Disabled
Enabled
Strict
Description: Send minimum amount of information to upstream servers to
enhance privacy. Only use Strict if you know what you are doing.

If enabled add the following to the unbound config:
qname-minimisation: yes

If Strict add the following to the unbound config:
qname-minimisation: yes
qname-minimisation-strict: yes

Actions #1

Updated by Mathew Keith over 6 years ago

RFC spec here:
https://tools.ietf.org/html/rfc7816

Should this be ignored if forwarding mode is enabled? I don't know if it will continue making incrementally more precise queries if forwarding.

Actions #2

Updated by JohnPoz _ over 6 years ago

I have been using the
qname-minimisation: yes

Option via adding it to custom option box for a few days now and have not seen any adverse effects. I will also enable the strict and see if run into any issues with it.

Actions #3

Updated by Jim Thompson over 6 years ago

  • Assignee set to Anonymous
Actions #4

Updated by JohnPoz _ over 6 years ago

Well if going to add options for the -strict in the gui... Needs to have BIG note on it that it WILL BREAK stuff... None of the Microsoft stuff is working that points edgekey and akamai domains

Example, this will not resolve with the -strict option in play.

;; ANSWER SECTION:
blogs.technet.microsoft.com. 3599 IN CNAME blogs.technet.microsoft.com.edgekey.net.
blogs.technet.microsoft.com.edgekey.net. 21600 IN CNAME e8798.b.akamaiedge.net.
e8798.b.akamaiedge.net. 3600 IN A 23.222.137.74

Seems like all of the ms records that do this sort of thing are broken...

Actions #5

Updated by Mathew Keith over 6 years ago

I don't think strict should be an option through the GUI now that I've played with it.

With respect to qname-minimisation and forwarding mode, I receive syntax errors when using both together. Perhaps this can be ignored when forwarding mode is enabled with a note indicating that it only applies when forwarding is disabled.

Actions #6

Updated by Jim Pingle almost 6 years ago

  • Project changed from pfSense Packages to pfSense
  • Category changed from Unbound to DNS Resolver
  • Assignee changed from Anonymous to Jim Pingle
  • Target version set to 2.4.4
Actions #7

Updated by Jim Pingle almost 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Jim Pingle almost 6 years ago

  • Status changed from Feedback to Resolved

Works

Actions

Also available in: Atom PDF