On 1/7/2020 12:08 PM, Rob Sayre wrote: > > The document contains the text: > > "DoT, for example, would normally contain no client identifiers above > the TLS layer and a resolver would see only a stream of DNS query > payloads originating within one or more connections from a client IP > address. Whereas if DoH clients commonly include several headers in > a DNS message' > > Doesn't this just mean "if the DoT client is a good implementation, > and the DoH client is not..." ?
I am not sure that this is just about client identifiers, but there is indeed a difference in complexity between DoH and DoT. Yes you could minimize it by using an absolutely minimal implementation of HTTP for DoH, but the very idea of DoH is to reuse existing HTTP infrastructure for DNS. In practice that means a much larger attack surface. -- Christian Huitema
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
