1. 17
  1.  

  2. 2

    I think that’s a reasonable rational and I wonder if DoH is going to end up being OS supported at some point.

    1. 4

      Absolutely not! Why the hell would you want to centralise something that was decentralised since before Al Gore invented the internet?

      1. 5

        What? How would providing a DoH at an OS level centralize anything more than providing dns over tcp?

        Edit: It occurs to me that perhaps you thought I meant dns over https (DoH) as is implemented by firefox, ie with cloudflare being the defacto resolver. What I meant was that I wonder if DoH might come to be provided as a an alternative to or super set of normal OS DNS support with some sort of resolver discovery.

        1. 2

          Maybe cnst is talking about CAs.

          1. 1

            DoH/DoT don’t inherently require CAs. The OS could offer an interface like “set IP address and expected certificate in resolv.conf”, for example. (but, IMO, concerns about CAs are silly. Everything in userspace WILL use CAs, why would an OS take a hard stance against CAs?)

      2. 2

        I’m still not convinced that we need DoH in the OS. What does DoH gives us that DoT doesn’t?

        1. -1

          What does DoH gives us that DoT doesn’t?

          Transport encryption.

          1. 3

            What does the T in dot stand for?

            1. 1

              TCP

              1. 6

                No, it’s TLS.

                1. 1

                  Is it? My bad.

                    1. 2

                      Conventional DNS is a UDP protocol ;)

                      1. 5

                        Primarily UDP, but TCP if the response it too large and EDNS is not supported; also for zone transfers.

        2. 2

          We used to have just DNS filtering censorships so I thought I could bypass it with the DoH and stuff, then there’s SNI checks and I was doomed. Meh.

          1. 2

            There’s encrypted sni coming out of the ietf hopefully soon

            1. 1

              I haven’t tested it myself (because I’m too lazy to research what to do) but seems like ESNI is outright blocked for now, I guess until Chrome pushes ESNI into the suite?

              1. 1

                seems like ESNI is outright blocked

                Yeah I saw this thread. Though People downthread are a lot less sure about this after all. To quote “maybe misinterpretation… maybe network weather changed”.