Hacker News new | ask | show | jobs
by tlrobinson 2629 days ago
How far off are we from DoH being supported by common operating systems, DHCP, etc?

It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
3 comments
coldacid 2628 days ago
Honestly, all these apps shouldn't even bother detecting for DoH or not. If people want to use DoH they can set up their own local resolver and configure their network for it (and for folks on Windows, that could even be packaged third-party).
link
tlrobinson 2627 days ago
The reason browsers are interested in including DoH is to protect users who don't even know this is a problem, and definitely aren't going to set up their own resolver.
link
pwnna 2627 days ago
What's the point of using DoH over the local network? We can generally assume the local network is "secure".

If I want to use DoH when sending DNS queries to the outside world, I can setup my own forwarder to forward DNS queries via DoH.

link
tlrobinson 2627 days ago
That's not always a safe assumption, e.x. public WiFi.
link
josteink 2628 days ago
> How far off are we from DoH being supported by common operating systems, DHCP, etc?

To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.

> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.

Yeah. Good luck diagnosing that when something stops working as expected.

link
tialaramex 2628 days ago
> To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.

Huh? Of course people do this, it's a standard way to do DNS that improves over older DNS wire protocols by offering better security properties. It's unfortunate that we had to involve HTTP in this, but needs must.

For example you can drop in an NSS replacement that uses DoH instead of conventional DNS for all your glibc software, or you can get software from a variety of sources that runs on UDP port 53 of your local machine like a normal DNS relay but uses DoH to someone trustworthy to deliver.

link