undefined | Better HN

0 pointsicebraining6y ago0 comments

Anyone can link to their own getaddrinfo(), including an internal function, they don't have to use one from whichever libc happens to be laying around on the system.

In theirs, they read the DNS servers from the OS (like the original), and then if it's part of a list of known DoH providers, they try to connect over DoH before falling back to regular DNS queries.

0 comments

mlyle6y ago

First, I know nothing about DoH, so take this with a grain of salt.

They should look up a canary domain that doesn't resolve from the roots, but local sites can configure to provide the address of a DoH resolver. Then you don't need to have a list of known DoH providers-- any site can install a DoH resolver and then add the canary domain to allow clients to upgrade.

It'd still be vulnerable to MITM attacks on initial connect, but at least the window for them is closed after the first resolution with this approach (better than normal DNS).

judge20206y ago

For reference, the code that does the protocol upgrade: https://github.com/chromium/chromium/blob/711b1ba2735f8af4bd...

the84726y ago

That would mean bypassing OS configuration, including other naming sources then DNS.

icebrainingOP6y ago

Yes, and if you search for "Chrome DNS client", people have reported problems related to that.

j / k navigate · click thread line to collapse