That's actually my biggest concern with DoH, ISP blocking. It doesn't seem as obvious as it is with DoT, but deep packet inspection (DPI) is already a thing. Don't expect an ISP that wants to block DoT to not (want to) block DoH either. The crux of the problem at that point is not the technology, it is the ISP's incentives. If the ISP wants to block DoT for whatever reason, personally I'd consider it.. not exactly fine but at least their right to do so. That's their decision to make. The problem is that if they want to block DoH too, they'd more or less have to break HTTPS altogether. And at that point, I'd expect them already more than willing to do so.

As far as content blocking goes, currently DNS is used for that too. In my country that is mainly Torrent sites, which are illegal. In workplaces it'd be for websites employees aren't allowed to visit at work. Most users use their ISP's / workplace's DNS servers and thus a simple DNS block ended up being fine. If that wasn't the case, more invasive methods would've been necessary. DNS blocking is easy to bypass but not many people do it. Personally I'd much rather keep technology away from policy. Encrypting DNS is important and both methods are fine for their own reasons, but policy is something that ISP's and workplaces will enforce regardless. Making this harder with technology could very well have adverse effects in the long run.

On 5/1/20 11:51 PM, @lbutlr wrote:
On 29 Apr 2020, at 14:19, Tony Finch <d...@dotat.at> wrote:
DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:
DOH is better because it cannot be blocked without blocking all https traffic.

(FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars 
religious canonical war here, but being able to guarantee access to secure DNS 
is definitely better for users).

All that its need to subvert DoT is to block port 853.

If DoT takes off, I expect all US ISPs to block port 853 universally. There’s 
nothing they can do about DoH.

Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies 
is “discouraged” but not prevented, most obviously.




--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to