DoH plugin for BIND
Michael De Roover
isc at nixmagic.com
Sat May 2 07:00:41 UTC 2020
That's actually my biggest concern with DoH, ISP blocking. It doesn't
seem as obvious as it is with DoT, but deep packet inspection (DPI) is
already a thing. Don't expect an ISP that wants to block DoT to not
(want to) block DoH either. The crux of the problem at that point is not
the technology, it is the ISP's incentives. If the ISP wants to block
DoT for whatever reason, personally I'd consider it.. not exactly fine
but at least their right to do so. That's their decision to make. The
problem is that if they want to block DoH too, they'd more or less have
to break HTTPS altogether. And at that point, I'd expect them already
more than willing to do so.
As far as content blocking goes, currently DNS is used for that too. In
my country that is mainly Torrent sites, which are illegal. In
workplaces it'd be for websites employees aren't allowed to visit at
work. Most users use their ISP's / workplace's DNS servers and thus a
simple DNS block ended up being fine. If that wasn't the case, more
invasive methods would've been necessary. DNS blocking is easy to bypass
but not many people do it. Personally I'd much rather keep technology
away from policy. Encrypting DNS is important and both methods are fine
for their own reasons, but policy is something that ISP's and workplaces
will enforce regardless. Making this harder with technology could very
well have adverse effects in the long run.
On 5/1/20 11:51 PM, @lbutlr wrote:
> On 29 Apr 2020, at 14:19, Tony Finch <dot at dotat.at> wrote:
>> DoT is easier since you only need a raw TLS reverse proxy, and there are
>> lots of those, for example, nginx:
> DOH is better because it cannot be blocked without blocking all https traffic.
> (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users).
> All that its need to subvert DoT is to block port 853.
> If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH.
Met vriendelijke groet / Best regards,
Michael De Roover
More information about the bind-users