BIND9 QNAME minimization

ISC develops and maintains BIND, one of the most widely-used open source software applications for running a DNS resolver. This project will add a significant new feature to BIND, QNAME minimization. QNAME minimization is an important component of an overall Internet privacy strategy.

DNS lookups happen in the background during almost every user interaction on the Internet. Standard DNS routinely leaks extra information to every DNS system in the path of those lookups. This was not a concern back when the DNS was first invented, but of course it is now. The information leaked is metadata, related to the Internet resource the end user is seeking: it could disclose the existence of an email conversation, pgp key lookup of a correspondant, or research on sensitive topics or people. Repressive governments have been storing and analyzing these "lookups" in order to surveil users. This project will eliminate unnecessary information leakage through BIND DNS systems.

The goal of this project is to bring a new level of DNS privacy to the large numbers of users whose service providers use BIND. This project is benefiting from the works of the open source Unbound and Knot DNS resolvers, who have added QNAME minimization. These other implementations have exposed some Internet breakage that can happen with QNAME minimization, so BIND has a configuration setting to permit a "fallback" to disable QNAME minimization when this is detected. The project plans to enable the "relaxed" mode, with the fallback by default, with a "strict" mode, which will not expose extra data even in cause of fault, as an option. Like the two other previous implementers, ISC have decided to enable QNAME minimization by default in BIND.

QNAME minimization has been committed to the BIND master branch in ISC"s public code repository. The project plans to issue a release incorporating this new feature, and further optimizations to make QNAME minimization more efficient and compatible with existing systems.