Maintained by: NLnet Labs

Can DNSSEC resolvers pass through all mangling CPEs?

Stephane Bortzmeyer
Mon Jan 4 15:35:37 CET 2016


On Mon, Jan 04, 2016 at 01:50:21PM +0100,
 Rick van Rein via Unbound-users <unbound-users at unbound.net> wrote 
 a message of 9 lines which said:

> What I am wondering is if the approach of recursive resolution, not
> explicitly going through the CPE, suffices to avoid mangling.  The
> CPE *could* still force control over DNS traffic on account of
> target port 53, and I am wondering if this happens.

Yes. In China, for instance, it is quite common. Also, port 53 is
sometimes blocked. In these cases, the only solution is to reach the
upstream resolver through DNS-over-TLS (Unbound supports it) or your
VPN.