This talk will review the latest evolutions in encrypted DNS transports and the concept of 'Trusted Recursive Resolvers' (TRRs) from the operators perspective.
Mozilla and Firefox have partnered to operate a DoH (DNS-over-HTTPS) service for Firefox. There are currently no discovery mechanisms for DoH services (or Strict DNS-over-TLS) and as a result clients wanting to use them must use either fixed lists with defaults or have users provide configuration. While Cloudflare will likely be the short term default TRR for Firefox, it is not clear what the longer term plans are for Firefox, other browsers and new DoH use cases.
What does this mean for today's operators?
Will increasing amounts of traffic migrate from network provided resolvers to 'well-known' DoH/DoT providers? Will a secure and reliable discovery mechanism be developed and deployed in the near future? Will ISPs and enterprises be motivated to deploy DoH/DoT to retain visibility and control of the network traffic and also work around issues with hard-coded TRRs (such as breaks to split horizon DNS)? How will trust models between clients and resolvers evolve with the introduction of authenticated, encrypted protocols? Will one protocol win out or will operators more typically run multiple services (DNS-over-TLS/HTTPS/QUIC/foo)?
In this rapidly evolving landscape who knows what the situation will be by the time of OARC 28!
|Talk Duration||30 Minutes|