1. 15

Here is a little something I put together this weekend. I did this mostly to understand what this upcoming DOH experiment is about. I was pretty surprised how easy it was to get this going and also how many interesting opportunities DOH actually opens up in terms of blacklisting and privacy.

  1.  

  2. 4

    It only supports GET requests and it is hardcoded to forward incoming DNS requests to 127.0.0.1:53. This means you need to have a DNS server running on the machine where you run this service.

    Hey, for a moment I thought this makes no sense. But of course this is to be run on a server, not all on localhost 🤦‍

    Neat side project!

    1. 3

      I fixed that! Current version does POST too now.

    2. 3

      I … still don’t understand the point of DNS over HTTPS. Is it an attempt to add TLS to DNS?

      1. 4

        The DOH draft says

        The Internet does not always provide end to end reachability for native DNS. On-path network devices may spoof DNS responses, block DNS requests, or just redirect DNS queries to different DNS servers that give less-than-honest answers. These are also sometimes delivered with poor performance or reduced feature sets.

        I’m not sure https is the right answer here, but Firefox developers clearly think it might be, so I guess it’s definitely worth exploring.

        1. 1

          I think Google pushed it first? And while it sounded counter intuitive to me too, I think one of the main advantages of DOH is that HTTPS is a quite well understood protocol, which all existing middle boxes are able to handle and so on. And of course it’s already there: anything new would have needed either a whole standardization process or - regrettably more realistically nowadays - a one-sided push by one of the major vendors, like Google did with QUIC.

          1. 2

            I think Google pushed it first?

            I don’t know. Honestly I’ve heard about this only due to recent Firefox testing.

            HTTPS is a quite well understood protocol

            I’d hope that by now DNS is also well understood :)

            Https also provides many places where configuration can go wrong.

            1. 2

              I’d hope that by now DNS is also well understood :)

              DNS: yes. A new encrypted variant of DNS: Depends on the way encryption is implemented.

      2. 2

        I hope in addition of encrypting DNS traffic, there will be HTTPS connections without SNI field - but some cryptographic non fingerprintable handshake which is also expensive to bruteforce.

        1. 2

          That was originally planned for TLSv1.3, but dropped later on.

          So for now even if you use DNS over HTTPS, your ISP will see what sites you visit anyway, and for verification DNSSEC exists already.

          At least until encrypted SNI becomes available, DNS over HTTPS has no advantage over classical DNS yet.