| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by jchw 2940 days ago

I'm not sure I understand.

I was under the impression that DNS-over-HTTPS was nothing more than just an alternative DNS protocol just like DNS-over-TLS, where you perform an HTTPS request in order to query for a DNS name, and that DNS-over-TLS was just plain old DNS wrapped in TLS.

You seem to be implying that DNS-over-HTTPS would enable sites themselves to deliver DNS records. I don't see how that is possible, because connecting to HTTPS with a hostname requires resolving a DNS record. Am I misunderstanding?

1 comments

bluejekyll 2940 days ago

You are correct for the initial request. I've seen many arguing for taking this to another level of actually sending DNS requests over the same HTTPS session being used with a site the browser is currently connected to.

link

jchw 2940 days ago

Is this standardized/drafted? I am curious how one might implement this.

link

bluejekyll 2940 days ago

See this thread with one of the authors of the RFC: https://news.ycombinator.com/item?id=16728600

link

patrickmcmanus 2940 days ago

Everybody is right in this thread :)

First, just to avoid confusion, the post linked to this HN article is just about the classic recursive resolver model. That's the scope of what is being experimented with actively.

Second, the notion of resolverless dns (where dns records are obtained from somewhere other than your recursive resolver) is indeed something DoH contemplates but does not yet allow. That's because issues around tracking, correctness, and attacks haven't been fully explored. So unsolicited DNS is interesting but its not something any browser would accept yet.

There are some other opinions on how HTTPS matches the needs of DNS here: https://bitsup.blogspot.com/2018/05/the-benefits-of-https-fo...

link

Lennie 2939 days ago

Also notice how the plan is to push not only DNS entries but also TLS certificates:

"Right now, people are really keen to get HTTP/2 “out the door,” so a few more advanced (and experimental) features have been left out, such as pushing TLS certificates and DNS entries to the client — both to improve performance. HTTP/3 might include these, if experiments go well."

https://www.mnot.net/blog/2014/01/30/http2_expectations

Some of those things could be used for bootstrapping SNI encryption as well:

https://www.ietf.org/mail-archive/web/tls/current/msg17474.h...

link