docs: add warning about DoT properties

author Petr Špaček <petr.spacek@nic.cz>

Thu, 23 Apr 2020 09:37:44 +0000 (11:37 +0200)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Mon, 27 Apr 2020 13:59:35 +0000 (15:59 +0200)
author Petr Špaček <petr.spacek@nic.cz>
Thu, 23 Apr 2020 09:37:44 +0000 (11:37 +0200)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Mon, 27 Apr 2020 13:59:35 +0000 (15:59 +0200)
diff --git a/daemon/bindings/net_tlssrv.rst b/daemon/bindings/net_tlssrv.rst

index 46f6a1a6c72d24e9f1b7115e948aac8574795067..382ac0f64caf28b788e811e90d9dcb6904b25e19 100644 (file)
--- a/daemon/bindings/net_tlssrv.rst
+++ b/daemon/bindings/net_tlssrv.rst
@@ -4,6 +4,15 @@
  
  DNS-over-TLS server (DoT)
  -------------------------
+DoT encrypts DNS traffic with Transport Security Layer protocol and thus protects DNS traffic from certain types of attacks.
+
+.. warning::
+
+   It is important to understand **limits of encrypting only DNS traffic**.
+   Relevant security analysis can be found in article
+   *Simran Patil and Nikita Borisov. 2019. What can you learn from an IP?*
+   See `slides <https://irtf.org/anrw/2019/slides-anrw19-final44.pdf>`_
+   or `the article itself <https://dl.acm.org/authorize?N687437>`_.
  
  DNS-over-TLS server (:rfc:`7858`) is enabled by default on localhost.
  Information how to configure listening on specific IP addresses is in previous sections:
author	Petr Špaček <petr.spacek@nic.cz>
	Thu, 23 Apr 2020 09:37:44 +0000 (11:37 +0200)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Mon, 27 Apr 2020 13:59:35 +0000 (15:59 +0200)