Nostr Web Client

Our authoritative DNS nameservers now support DNS-over-TLS (DoT) with authentication via DANE TLSA and/or WebPKI. This allows DNS resolvers to make queries via securely encrypted connections. We're already seeing lots of DoT encrypted connections from multiple DNS providers.

Using DNS-over-TLS for authoritative DNS is bleeding edge and not widely supported yet. Cloudflare and most ISPs don't support this yet. Vast majority of the DNS-over-TLS connections are coming from Google Public DNS. There are only a small number of connections from elsewhere.

We're currently implementing this with an nginx TLS to TCP reverse proxy in front of PowerDNS.

https://github.com/GrapheneOS/infrastructure/commit/38bb002a019a0947c1b2c1bd0e7f5b602ae85f5c

https://github.com/GrapheneOS/ns1.grapheneos.org/commit/387f1027f8904fc148217a697fdad66d089c6cfc

This is a very forward-looking improvement. Google is the only major provider using it and only for opportunistic encryption right now.

Reply to this note

Please Login to reply.

Discussion

Ava 2y ago

awesome forward-thinking privacy improvements happening with #grapheneos 🤙🏻💜

nostr:nevent1qqsdrp00d4t8j9zdtzph6usvz6jwsq6y376kad0nd6sk8j3pz8ujp2gppamhxue69uhkummnw3ezumt0d5pzqsmr0gc35903cffmt4s80z4h239vvwdc3ctguu3y4yqdffqjsvvrqvzqqqqqqy3x4wz4