nanog mailing list archives
Re: This DNS over HTTP thing
From: David Conrad <drc () virtualized org>
Date: Tue, 1 Oct 2019 21:15:24 -0700
Jay, On Oct 1, 2019, at 12:18 PM, Jay R. Ashworth <jra () baylink com> wrote:
This is thought to be about security? Didn't we already *fix* DNS SECurity?
No. DNSSEC solves a different problem (being able to verify what you get is what the domain owner published). DoH (and DoT) encrypt (and authenticate) the application <-> recursive resolver channel (NOT the DNS data) which I gather some view as an attack vector. Mozilla has decided to _also_ redefine the default resolver (unless use-application-dns.net <http://use-application-dns.net/> NXDOMAINs), instead of the resolver (typically) assigned by the ISP, for browser queries. That last bit is generating a bit of ‘discussion’ as it can bypass efforts by network operators to modify DNS responses for whatever reason (e.g., protect customers from phishing sites, censoring domain names due in response to court orders, monetizing typos, etc.). Regards, -drc
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Re: This DNS over HTTP thing, (continued)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Damian Menscher via NANOG (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Damian Menscher via NANOG (Oct 01)
- Re: This DNS over HTTP thing Niels Bakker (Oct 02)
- Re: This DNS over HTTP thing Tom Ivar Helbekkmo via NANOG (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing Michael Thomas (Oct 01)
- Re: This DNS over HTTP thing David Conrad (Oct 01)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing Valdis Klētnieks (Oct 02)
- Re: This DNS over HTTP thing Matt Palmer (Oct 02)
- Re: This DNS over HTTP thing Jan Philippi (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)