←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 1 comments | 01 Apr 18 12:14 UTC | HN request time: 0s | source
Show context
bluejekyll ◴[01 Apr 18 14:17 UTC] No.16728385[source]
DNS-over-HTTPS doesn’t make as much sense to me as DNS-over-TLS. They are effectively the same thing, but HTTPS has the added overhead of the HTTP headers per request. If you look at the currently in progress RFC, https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-04, this is quite literally the only difference. The DNS request is encoded as a standard serialized DNS packet.

The article mentions QUIC as being something that might make HTTPS faster than standard TLS. I guess over time DNS servers can start encoding HTTPS requests into JSON, like google’s impl, though there is no spec that I’ve seen yet that actually defines that format.

Can someone explain what the excitement around DNS-over-HTTPS is all about, and why DNS-over-TLS isn’t enough?

EDIT: I should mention that I started implementing this in trust-dns, but after reading the spec became less enthusiastic about it and more interested in finalizing my DNS-over-TLS support in the trust-dns-resolver. The client and server already support TLS, I couldn't bring myself to raise the priority enough to actually complete the HTTPS impl (granted it's not a lot of work, but still, the tests etc, take time).

replies(9): >>16728460 #>>16728600 #>>16728618 #>>16728709 #>>16728748 #>>16728753 #>>16728813 #>>16729267 #>>16729468 #
chimera77 ◴[01 Apr 18 15:21 UTC] No.16728709[source]
One of the use cases for DNS-over-HTTPS given in the draft was to allow web applications access to DNS directly via existing browser APIs.
replies(3): >>16729151 #>>16729540 #>>16730969 #
codetrotter ◴[01 Apr 18 17:55 UTC] No.16729540[source]
Wonder if this will pave the way for other protocols over HTTPS.
replies(1): >>16730413 #
gsich ◴[01 Apr 18 21:03 UTC] No.16730413[source]
Hopefully not. One needs to stop working around crappy setups from crappy networks. Which X-over-HTTPS really is all about.
replies(2): >>16748664 #>>16757250 #
1. 18pfsmt ◴[03 Apr 18 20:16 UTC] No.16748664[source]
It seems like crappy networks are the norm nowadays, and the preference of the ISPs is to offer the web only. You need a middle box just to access the internet at-large (e.g Tor). Masquerading traffic as web traffic appears to be a good tactic, though inefficient/sloppy.