Hi Andrew, At least the cookie aspect of this isn’t just a “best practice” of one implementer, but something indeed built into the protocol spec (https://tools.ietf.org/html/rfc8484 <https://tools.ietf.org/html/rfc8484>):
Determining whether or not a DoH implementation requires HTTP cookie [RFC6265 <https://tools.ietf.org/html/rfc6265>] support is particularly important because HTTP cookies are the primary state tracking mechanism in HTTP. HTTP cookies SHOULD NOT be accepted by DOH clients unless they are explicitly required by a use case. I think it is incorrect to characterize that DoH has a flawed design by basing itself on a protocol that allows cookies, or allows multiplexing. These are certainly tools provided by HTTP, but it is up to use them or not as appropriate. “Bad” implementations can put information in just about any protocol that could be used for tracking users. DoH has many benefits to the user for privacy and performance, and I consider it to be entirely in the spirit of RFC 8890. Thanks, Tommy > On Oct 9, 2020, at 1:04 AM, Andrew Campling <[email protected]> > wrote: > > This seems like a great example of best practice. I wonder though whether it > highlights a weakness in the protocol design if it is necessary to rely on > goodwill by developers in order to protect the privacy of end users? Perhaps > future developments would take a different path, guided by the policy > recently set out by the IAB in RFC8890. > > Andrew > > From: Eric Orth <[email protected]> > Sent: 08 October 2020 17:00 > To: Vinny Parla (vparla) <[email protected]> > Cc: Andrew Campling <[email protected]>; Tommy Pauly > <[email protected]>; James <[email protected]>; > [email protected] > Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision... > > For Chrome, we're currently taking some steps to ensure connection separation > between DoH requests and normal content requests. More specifically, we > currently disallow DoH requests from sharing a connection with any requests > that are not also blocked from sending or receiving cookies (as are the DoH > requests), and we're considering further completely blocking DoH requests > from sharing connections with non-DoH. Primary motivation is privacy. If > DNS is multiplexed up with cookie-containing (or otherwise user-identifying) > requests, makes it too easy for even an attempting-to-be-anonymous DNS > service to accidentally log requests correlated up with user identity. > > Plans may change in the future as we discover more usecases and if these > scenarios become more relevant with some of the ADD proposals around domains > designating preferred resolvers, but at least for now, I would anticipate > Chrome DNS requests always staying at least somewhat separated from Chrome > content requests. > > On Thu, Oct 8, 2020 at 11:13 AM Vinny Parla (vparla) > <[email protected] <mailto:[email protected]>> wrote: > Hi Andrew, > > I agree with your view and am not in favor of aggregating Content and DNS > together, although I can see arguments for doing this. > I am just wondering if Browser implementors have plans to do this in the > future as I need to deal with both OS DNS and Browser (app) DNS scenarios. > > From Tommy’s response I am hopeful the OS implementors won’t do this in the > future and will keep DNS an independent mechanism. > > -Vinny > > From: Andrew Campling <[email protected] > <mailto:[email protected]>> > Sent: Thursday, October 8, 2020 4:33 AM > To: Vinny Parla (vparla) <[email protected] <mailto:[email protected]>>; Tommy > Pauly <[email protected] > <mailto:[email protected]>>; James <[email protected] > <mailto:[email protected]>> > Cc: [email protected] <mailto:[email protected]> > Subject: RE: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision... > > Important though browsers are for some, DNS is an Internet protocol and needs > to work for a wide range of devices and clients. Mandating its absorption > into a multiplexed stream via HTTP/3 seems unnecessary, irrespective of the > potential performance gains and other possible benefits for web clients. > > Andrew > > From: Vinny Parla (vparla) <[email protected] <mailto:[email protected]>> > Sent: 07 October 2020 15:40 > To: Tommy Pauly <[email protected] > <mailto:[email protected]>>; James <[email protected] > <mailto:[email protected]>> > Cc: [email protected] <mailto:[email protected]> > Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision... > > Hi, > > What I am driving at in my original question is do we envision mixing Content > and DNS together in a multiplexed session or will DNS continue to be an > entirely independent channel (whether over HTTP/2 /3 Do53 DoQ DoH). > > -Vinny > > From: Tommy Pauly <[email protected] > <mailto:[email protected]>> > Sent: Wednesday, October 7, 2020 9:23 AM > To: James <[email protected] <mailto:[email protected]>> > Cc: Vinny Parla (vparla) <[email protected] <mailto:[email protected]>>; > [email protected] <mailto:[email protected]> > Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision... > > Can you cite this claim about DNS over HTTP/3? The per-query cost once an > HTTP/3 connection is established should be minimal. If you’re taking into > account all setup overhead for an HTTPS connection as a “per query” cost, > that’s not representative of how DoH is reasonably used (and would be a issue > with existing DoH). > > Thanks, > Tommy > > > On Oct 6, 2020, at 2:03 PM, James <[email protected] > <mailto:[email protected]>> wrote: > > My most recent observations of discussions around DNS over QUIC and HTTP/3 > was that some folks had attempted DNS over HTTP/3, however the overheads > (~14KiB for a query at worst-case) made it impractical and infeasible. With > regards to DNS over QUIC, the current dprive working group adopted draft [1] > is focusing on stub to recursive, but not necessarily as a multiplex with an > existing QUIC connection. > > - J > > 1: https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-00 > <https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-00> > > On Mon, 5 Oct 2020 at 17:31, Vinny Parla (vparla) > <[email protected] <mailto:[email protected]>> wrote: > Hi, > > It was suggested that I ask this question on the 3 lists: > > Now that QUIC & HTTP/3 is imminent… > > I would like to know what the opinion is of the community on the long term > view of DNS. > Would DNS remain an independent channel or would it be subsumed in a > multiplexed stream via HTTP/3 in some future version? > > For example, would a browser perform DNS queries over a QUIC multiplexed > session? > (e.g. similar to how today an http proxy can perform DNS queries on behalf > of the client using that proxy) > > Would love to hear from implementors what their long term view is of this in > particular. > > Thanks, > > -Vinny > > _______________________________________________ > dns-privacy mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/dns-privacy > <https://www.ietf.org/mailman/listinfo/dns-privacy> > _______________________________________________ > dns-privacy mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/dns-privacy > <https://www.ietf.org/mailman/listinfo/dns-privacy> > > _______________________________________________ > dns-privacy mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/dns-privacy > <https://www.ietf.org/mailman/listinfo/dns-privacy>_______________________________________________ > dns-privacy mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/dns-privacy > <https://www.ietf.org/mailman/listinfo/dns-privacy>
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
