Comment by josephcsible
1 day ago
> also actually gets to the actual problem with DoH, which is that the HTTP part has no business being there and increases complexity, which I as a former DNS resolver implementor wholeheartedly agree with!
But that part is wrong too. The HTTP part has a very important reason to be there: because if it weren't, middleboxes would block the traffic.
That's just the 443 port – the middlebox can't see anything else anyway. Were that an actual concern, we could standardize running DoT on 443 instead of the status quo 853, and negotiating the protocol via ALPN. The "dot" ALPN is already standardized and implemented in actual production DNS software, so the port number is realistically the only obstacle.