Stephane Bortzmeyer wrote on 2019-02-12 00:39:
On Tue, Feb 12, 2019 at 03:56:04PM +0800,
[email protected] <[email protected]> wrote
a message of 546 lines which said:
I am considering extending the DoH protocal to authoritative
servers.
Why DoH and not DoT? ...
well, yes, but...
DoH is useful because 1) port 853 may be blocked
at the edge of the network
DoH is _dangerous_ because it's my network and i require all visitors,
family members, employees, and apps to use the control plane i have
constructed, which includes DNS surveillance and control. thanks to DoH,
i will have to add a WAF, or require SOCKS, for all outbound TCP/443 to
the cloudflare, google, and other so-called "public" dns services. i am
nowhere near ready to allow cloudflare and apnic and the others to build
their own private DNS relationship with my endpoints, bypassing parental
controls, bypassing corporate security policy.
DoT should be preferred precisely because it _can_ be blocked by the
network operator. if someone insists on not talking to my DNS servers,
they can take their device elsewhere. this is especially vital for IoT,
whose makers will never be profitable other than from data they collect.
2) applications running in a Web browser
may need DNS data. ...
i expect those apps to make normal UDP/53, TCP/53, or TCP/853 requests
from the designated DNS servers i operate as part of my control plane.
any attempt to speak DoH from my networks will be treated as an attack.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
