Can DNSSEC resolvers pass through all mangling CPEs?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Jan 4 14:35:37 UTC 2016
On Mon, Jan 04, 2016 at 01:50:21PM +0100,
Rick van Rein via Unbound-users <unbound-users at unbound.net> wrote
a message of 9 lines which said:
> What I am wondering is if the approach of recursive resolution, not
> explicitly going through the CPE, suffices to avoid mangling. The
> CPE *could* still force control over DNS traffic on account of
> target port 53, and I am wondering if this happens.
Yes. In China, for instance, it is quite common. Also, port 53 is
sometimes blocked. In these cases, the only solution is to reach the
upstream resolver through DNS-over-TLS (Unbound supports it) or your
VPN.
More information about the Unbound-users
mailing list