DoH plugin for BIND

Michael De Roover isc at nixmagic.com
Sat May 2 07:00:41 UTC 2020 

That's actually my biggest concern with DoH, ISP blocking. It doesn't 
seem as obvious as it is with DoT, but deep packet inspection (DPI) is 
already a thing. Don't expect an ISP that wants to block DoT to not 
(want to) block DoH either. The crux of the problem at that point is not 
the technology, it is the ISP's incentives. If the ISP wants to block 
DoT for whatever reason, personally I'd consider it.. not exactly fine 
but at least their right to do so. That's their decision to make. The 
problem is that if they want to block DoH too, they'd more or less have 
to break HTTPS altogether. And at that point, I'd expect them already 
more than willing to do so.

As far as content blocking goes, currently DNS is used for that too. In 
my country that is mainly Torrent sites, which are illegal. In 
workplaces it'd be for websites employees aren't allowed to visit at 
work. Most users use their ISP's / workplace's DNS servers and thus a 
simple DNS block ended up being fine. If that wasn't the case, more 
invasive methods would've been necessary. DNS blocking is easy to bypass 
but not many people do it. Personally I'd much rather keep technology 
away from policy. Encrypting DNS is important and both methods are fine 
for their own reasons, but policy is something that ISP's and workplaces 
will enforce regardless. Making this harder with technology could very 
well have adverse effects in the long run.

On 5/1/20 11:51 PM, @lbutlr wrote:
> On 29 Apr 2020, at 14:19, Tony Finch <dot at dotat.at> wrote:
>> DoT is easier since you only need a raw TLS reverse proxy, and there are
>> lots of those, for example, nginx:
> DOH is better because it cannot be blocked without blocking all https traffic.
>
> (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users).
>
> All that its need to subvert DoT is to block port 853.
>
> If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH.
>
> Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously.
>
>
>
>
-- 
Met vriendelijke groet / Best regards,
Michael De Roover

More information about the bind-users mailing list