[dimkr1]

Because the OS (getaddrinfo(), gethostbyname(), etc') doesn't implement DoH; it implements a /etc/hosts parser and a DNS (over UDP) client.

I wrote a glibc plugin that implements a caching DoH client for glibc, which can replace the DNS client or fall back to it - https://github.com/dimkr/nss-tls.

[josteink]

The criticism (which you seemed to miss) is that everyone is rushing to implement this at the application-level(s), instead of contributing to get it implemented, once, at the OS level instead and have a fix in place for everyone.

[pjc50]

How do you get the three big closed source OS vendors to do this in less than a decade?

Not to mention that DNS over HTTP is one of the class of features where you might want to override sysadmin policy as a user.

[josteink]

> Not to mention that DNS over HTTP is one of the class of features where you might want to override sysadmin policy as a user.

I don’t buy that argument at all.

Why should we special case policies of one internet-protocol over all the others?

Also: implementing/marketing DoH as a way to bypass enterprise control and policies is a surefure way to find it permanently blocked at firewall level in said enterprises.

Ie your attempt at subverting control won’t gain you anything but deserved distrust.

[dimkr1]

nss-tls is "at the OS level". It makes getaddrinfo(), etc', use DoH behind the scenes, so applications are transparently migrated to DoH.

I think you missed the nss-tls README and think nss-tls is not at the "OS level".

[JoshuaRLi]

Hi Dima - I'm assuming you're aware of dnscrypt-proxy and wrote nss-tls because you wanted a lighter weight implementation of a subset of dnscrypt-proxy's features on a specific platform (linux/glibc, for example this won't work on linux/musl afaik)? I use dnscrypt-proxy happily but was interested in nss-tls, yet couldn't find a rationale/comparison in the readme.