← Back to context

Comment by tptacek

20 hours ago

At that point you might as well use DoH. But you're also reasoning axiomatically about something we have a lot of documentary evidence for: the DNS operator community (or a big chunk of it) favors DoT and opposes DoH because they want to make it easier to block encrypted DNS; they frame this in terms of "control over their own networks".

6 comments

tptacek

Reply
AnthonyMouse  19 hours ago

> At that point you might as well use DoH.

What benefit is the additional complexity and overhead of HTTP buying you there?

> the DNS operator community (or a big chunk of it) favors DoT and opposes DoH because they want to make it easier to block encrypted DNS; they frame this in terms of "control over their own networks".

This is one of the main issues here: When then DNS operator is you, i.e. your local network at home or your corporate network within your own company, you should be able to control DNS on your own network, which you can't if a bunch of adversarial devices are bypassing your DNS servers.

When the DNS operator is your ISP, letting them block encrypted DNS is bad.

So what we need is some way to distinguish between these situations so that the local network administrator's preferences are heeded but Comcast can go pound sand. But browsers are too late in the stack for that because they have no way to tell if the system DNS server is the one the user wants or the one they got by default from their ISP and never knew to change.

  • tptacek  19 hours ago

    I don't think we need any way to distinguish these situations any more than we needed to preserve the non-ephemeral key exchanges in the jump from TLS 1.2 to TLS 1.3, which were opposed for the same reason. You can control which computers you allow on your network, and allow only computers which give you endpoint monitoring. The 2025 TCP/IP protocol stack should not be going out of its way to give network operators more visibility into what applications are doing.

    • AnthonyMouse  19 hours ago

      > You can control which computers you allow on your network, and allow only computers which give you endpoint monitoring.

      This would be a great argument if it was actually feasible, but then you have Chromecasts hard-coding Google's DoH servers to prevent ad blocking etc., and devices doing automatic firmware updates to change things like that after you've already bought them.

      Pass the law that says the customer has to be given root and the ability to install custom firmware on any device they buy before saying that is reasonable.

      3 replies →