← Back to context

Comment by zinekeller

14 hours ago

> A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS.

You forgot the "let's intercept in a public place (e.g. public Wi-Fi hotspots)" one where blocking port 853 is super trivial while blocking port 443... is impossible. Sure, Google DNS will be blocked easily but there a lot of DoH providers!

13 comments

zinekeller

Reply
AnthonyMouse  14 hours ago

There is no law against running DoT over port 443.

  • tptacek  14 hours ago

    At that point you might as well use DoH. But you're also reasoning axiomatically about something we have a lot of documentary evidence for: the DNS operator community (or a big chunk of it) favors DoT and opposes DoH because they want to make it easier to block encrypted DNS; they frame this in terms of "control over their own networks".

    • AnthonyMouse  14 hours ago

      > At that point you might as well use DoH.

      What benefit is the additional complexity and overhead of HTTP buying you there?

      > the DNS operator community (or a big chunk of it) favors DoT and opposes DoH because they want to make it easier to block encrypted DNS; they frame this in terms of "control over their own networks".

      This is one of the main issues here: When then DNS operator is you, i.e. your local network at home or your corporate network within your own company, you should be able to control DNS on your own network, which you can't if a bunch of adversarial devices are bypassing your DNS servers.

      When the DNS operator is your ISP, letting them block encrypted DNS is bad.

      So what we need is some way to distinguish between these situations so that the local network administrator's preferences are heeded but Comcast can go pound sand. But browsers are too late in the stack for that because they have no way to tell if the system DNS server is the one the user wants or the one they got by default from their ISP and never knew to change.

      5 replies →

gsich  13 hours ago

There are only like 3 major ones. You can block those IPs too.

  • josephcsible  13 hours ago

    There's a ton of minor ones, it's easy to spin up your own, and the hope is that eventually, with ECH, it won't be possible to block them without blocking basically the entire Internet like North Korea does.