From: Petr Špaček <petr.spacek@nic.cz>
Date: Thu, 23 Apr 2020 09:37:44 +0000 (+0200)
Subject: docs: add warning about DoT properties
X-Git-Tag: v5.1.0~4^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=edf42e89f597ec6223ca874112f7f2730998362b;p=thirdparty%2Fknot-resolver.git

docs: add warning about DoT properties
---

diff --git a/daemon/bindings/net_tlssrv.rst b/daemon/bindings/net_tlssrv.rst
index 46f6a1a6c..382ac0f64 100644
--- a/daemon/bindings/net_tlssrv.rst
+++ b/daemon/bindings/net_tlssrv.rst
@@ -4,6 +4,15 @@
 
 DNS-over-TLS server (DoT)
 -------------------------
+DoT encrypts DNS traffic with Transport Security Layer protocol and thus protects DNS traffic from certain types of attacks.
+
+.. warning::
+
+   It is important to understand **limits of encrypting only DNS traffic**.
+   Relevant security analysis can be found in article
+   *Simran Patil and Nikita Borisov. 2019. What can you learn from an IP?*
+   See `slides <https://irtf.org/anrw/2019/slides-anrw19-final44.pdf>`_
+   or `the article itself <https://dl.acm.org/authorize?N687437>`_.
 
 DNS-over-TLS server (:rfc:`7858`) is enabled by default on localhost.
 Information how to configure listening on specific IP addresses is in previous sections: