Hacker News new | ask | show | jobs
by throw0101a 2536 days ago
> So... for circumventing censorship, then?

I don't know about ISPs, but as someone in IT, DoH could be a mess. If Firefox ignores resolve.conf how is split-horizon going to work? Wait until malware starts using it and it can't be blocked with blacklisting, e.g., entire CDN IP ranges.

Paul Vixie has strong views on DoH:

* https://twitter.com/paulvixie

I'd be okay if they at least used DNS-over-TLS (DoT): privacy and it can at least be handled by firewalls for us corporate types.
1 comments
tialaramex 2536 days ago
People should cut it out with the split horizon DNS. Like NAT this was always a nasty hack, of course things will break if you do it.

If you need malware to be nice and use your configured security systems or else it'll cause problems I have bad news for you: the malware authors aren't on your side.

Everything DoH, eSNI, TLS 1.3 and QUIC and a dozen other protocols are doing was already trivial for malware to do if it wanted. If your defences begin by assuming bad guys are only doing things that obey all your rules you've fundamentally misunderstood what "bad guys" even are.

link
throw0101a 2536 days ago
> People should cut it out with the split horizon DNS.

We have a bunch of internal-only 10.x hosts and services. Why would we put them in our external DNS?

> If you need malware to be nice and use your configured security systems or else it'll cause problems I have bad news for you: the malware authors aren't on your side.

I don't. But if I see DNS traffic flowing from systems that are not our internal DNS servers, I know to look at them.

It's the same reason SMTP traffic was bottlenecked: everything goes through relays so it can be monitored.

> If your defences begin by assuming bad guys are only doing things that obey all your rules you've fundamentally misunderstood what "bad guys" even are.

Defences begin with observation. With DoH you can't tell what's going on with regards to queries. I'd much rather have DoT: still gives privacy, but since it has its own port, then it can be dealt with more easily. Of course having an IANA-assigned port allows for ISP/government filtering.

link