undefined | Better HN

0 pointsTrueDuality5y ago0 comments

Firefox and Chrome do yes, but none of these standards specify any kind of fall-back behaviour. There are no guarantees that any specific device or application needs to do that or how.

There is a cost to firewall rules like that as well. Who is going to maintain a list of all the IPs on the internet that are hosting DoH servers that could be used? What about the potentially more prolific proxies specified in this protocol enhancement? How does a network administrator keep all of those in sync with their edge networks? How does a home user?

Since DoH uses HTTPS there is no reason a service can't be multihomed on the same IP just like SNI allows multiple HTTPS servers on one IP. Would you be willing to block a legitimate website just so the applications on your network might fall-back to the name server you want them too?

0 comments

fiddlerwoaroof5y ago

You can snoop SNI and use that to block traffic, right? In another thread, someone suggested also stripping the keys for encrypted SNI from DNS queries which, when combined with a firewall that attempts to make a DoH query to every new SNI name it sees might potentially work.

kelnos5y ago

For now. Encrypted SNI is in development and will eventually be used by devices and apps that want to do this sort of thing and hide what they're doing.

fiddlerwoaroof5y ago

The solution to that is pretty simple. ESNI, I believe, requires encryption keys in DNS records: if you control DNS, you control ESNI. ECH might be harder to deal with, but you can always just block HTTPS connections you don’t want to support. Also, will some sort of certificate fingerprinting still work?

hkt5y ago

Well, adblock lists exist, DNS block lists exist, this is just something along similar lines that can be tested and aggregated and distributed. Not a perfect solution, but pi-hole as a router or similar could do it.

j / k navigate · click thread line to collapse

0 pointsTrueDuality5y ago0 comments

Firefox and Chrome do yes, but none of these standards specify any kind of fall-back behaviour. There are no guarantees that any specific device or application needs to do that or how.

0 comments

fiddlerwoaroof5y ago

kelnos5y ago

For now. Encrypted SNI is in development and will eventually be used by devices and apps that want to do this sort of thing and hide what they're doing.

fiddlerwoaroof5y ago

hkt5y ago

j / k navigate · click thread line to collapse