This DNS over HTTP thing

Matt Harris matt at netfire.net
Tue Oct 1 13:44:46 UTC 2019


On Tue, Oct 1, 2019 at 8:22 AM Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:

> On Tue, Oct 01, 2019 at 12:11:32PM +0200,
>  Jeroen Massar <jeroen at massar.ch> wrote
>  a message of 101 lines which said:
>
> >  - Using a centralized/forced-upon DNS service (be that over DoT/DoH
> >  or even plain old Do53
>
> Yes, but people using a public DNS resolver (of a big US corporation)
> over UDP is quite an old thing and nobody complained. I really wonder
> why there was so little reaction against OpenDNS or Google Public DNS
> and suddently a lot of outcry against DoH...
>

Mainly because no one was ever forcibly-defaulted to those, while browser
makers are now going to be defaulting to sending queries to a specific set
of DoH servers not set by dhcp/etc locally, but rather chosen by the
browser maker, in a way that most users won't even realize/notice, hence
allowing the browser maker to determine who gets to see the queries the
user is making while surfing the web in that browser. This is a major
change from how browsers and other applications have historically behaved,
where DNS servers were set either locally on the host, or via dhcp or
somesuch at the LAN level. This change will almost certainly be made
without the user explicitly consenting to it.

Effectively, there is no outcry against DoH. There is outcry against how
some browser makers are implementing some configuration changes. It
wouldn't matter what protocol they were using, even if they simply skipped
local/LAN resolver configs and went straight to udp/tcp 53 on their chosen
servers for recursive queries.

Browser makers rule the world in a number of ways already, like choosing
which TLS root certificates to include, and setting default search engines
and settings (sometimes on update, even overriding explicit user settings,
as was the case when Firefox switched to a paid arrangement with Yahoo.)
There's a lot of potential for abuse here, and so oversight in the form of
"outcry" seems entirely justified when such changes occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191001/778b8f12/attachment.html>


More information about the NANOG mailing list