Hello,
On Mon, 4 Feb 2019 at 12:14, Aleksandar Lazic <al-hapr...@none.at> wrote: > > Hi. > > I have just opened a new Issue about DoH for resolving. > > https://github.com/haproxy/haproxy/issues/33 > > As I know that this is a major change in the Infrastructure I would like to > here what you think about this suggestion. > > My opinion was at the beginning against this change as there was only some > big provider but now there are some tutorials and other providers for DoH I > think now it's a good Idea. Frankly I don't see a real use-case. DoH is interesting for clients roaming around networks that don't have a local DNS resolver or with a completely untrusted or compromised connectivity to their DNS server. A haproxy instance on the other hand is usually something installed in a stable datacenter, often with a local resolver, and it is resolving names you configured with destination IP's that are visible to an attacker anyway. The DNS implementation is still lacking an important feature (TCP mode), which Baptiste does not really have time to work on as far as I can tell and would actually address a problem for certain huge deployments. At the same time I'm not sure I can up with a *real* use-case for DoH in haproxy - and there is always the possibility to install a local UDP to DoH resolver. Also a lot of setups nowadays are either systemd or docker managed, both of which ship their own resolver anyway (providing a local UDP/TCP service). I'm not sure what the complexity of DoH is. I assume it's non trivial to do in a non-blocking way, without question more complicated than TCP mode. So I'm not a fan of pushing DoH into haproxy. Especially if the use-case is unclear. But those are just my two cents. Also CC'ing Baptiste. cheers, lukas
