| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by ignoramous 2393 days ago

Thanks Olivier.

Re: nextdns-cli: I think you may have misunderstood my question. I was more curious abt how the backend worked: Do you run one unbound instance per nextdns-configuration?

Re: DoH: I was pointing to the fact that XHR request to 1.1.1.1 (or any DoH provider that supports application/dns-json) can now resolve domain names. In this case, there's no reliance on either browser's DoH resolver or resolver set by OS / AccessPoints / VPNs.

2 comments

poitrus 2393 days ago

Oh sorry. We have developed a custom DNS solution that sites in front of unbound. We only use unbound for standard recursion and caching, all custom configuration management is operated in this home made DNS proxy.

For trackers to use DoH, they could certainly perform XHR requests to resolve a domain, but they won't be able to use it to perform a request from the browser. You may use http://<ip> instead of http://<domain>, but this has two issues:

1. You won't be able to use virtual hosting (the Host header is gone), and thus you need one IP per "service", which is doable but harder, more custom and more expensive.

2. You won't be able to use HTTPS, except with an expensive certificate that is somewhat harder to setup.

As most websites are HTTPS now, a non HTTPS tracker would rase mixed content errors. Not to mention that this IP would quickly be blocked by browser based ad blockers, and IPs are harder than domains to change.

And all this is doable without DoH, you just embed the IP the ad library embedded by the site.

link

ignoramous 2390 days ago

Thanks a lot for taking time to respond. Really appreciate it.

I guess, XHR aside, mobile or desktop apps making DoH requests (to https://ipaddress) is something that can't be blocked by DNS based ad-blockers? A firewall might do the trick.

link

Thorrez 2392 days ago

For DoH there are some problems in addition to what poitrus said.

In order to make an XHR to 1.1.1.1 you need to be running javascript. But the whole goal of these CNAME and other evasions is to run javascript (aka not get blocked by browser extensions and such). So they already need to achieve their goal before they can make the XHR. Since they've already achieved their goal, why are they bothering with additional complexity?

Adblocking browser extensions could probably block XHR DoH requests that have adcompany.com in the query parameters.

This isn't really specific to DoH. Any database that can be queried by an XHR could be used instead of DoH for this purpose.

link