Thanks Kevin, you mean in the server side we should suggest DNSoverHTTP operators to adopt a filter to block the proxy which anonymize the source IP of DNS query. It is not related to DNSoverHTTP protocol but security consideration, right?
Davey > 在 2015年8月6日,01:02,Darcy Kevin (FCA) <kevin.da...@fcagroup.com> 写道: > > Add yet another category of websites to block in corporate web proxies: DNS > query anonymizers. > > > > - Kevin > > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Davey Song > Sent: Tuesday, August 04, 2015 9:47 PM > To: dnsop@ietf.org > Subject: [DNSOP] About DNS over HTTP(s) > > Hi folks, > > As one of my own observation, there is a trend of using port http(s) for DNS > transaction to provide better DNS service regarding DNS Hijacking issue, > middle-box issue, DNS privacy and IP Geolocation consideration. As a typical > scenario and requirement, end users will benefit from the capability always > choosing the reliable and credible recursive server no matter where they are. > In addition, Ads providers can alleviate their suffering from DNS Hijacking > by malware and network devices, which is a common Internet misbehavior > nowadays. I heard the constant complaining from local Ads providers like > Taobao and Baidu. > > There are some related work already done from the industry, for example: > 1) DNSpod serves DNS over HTTP service called ‘D+’ to help their clients get > avoid DNS hijacking, with lower RRT. This service is used by Tencent to > identify clients’ ISP accurately. (https://www.dnspod.cn/httpdns > <https://www.dnspod.cn/httpdns> only in Chinese) > 2) DNSSEC trigger uses DNS over HTTP as a back-up for DNSSEC validation > failure (https://www.nlnetlabs.nl/projects/dnssec-trigger/ > <https://www.nlnetlabs.nl/projects/dnssec-trigger/>) > 3) Restful DNS API (DNS in Json ) allows to perform DNS queries over HTTP in > Json format. (http://www.dns-lg.com/ <http://www.dns-lg.com/>) Also, > PowerDNS supports DNS queries over HTTP in Json format by a > “experimental-json-interface=yes” config.( > https://doc.powerdns.com/md/httpapi/README/ > <https://doc.powerdns.com/md/httpapi/README/>) > 4) DNSoverHTTP using proxies as a quick deployment tool which encapsulates > DNS package into HTTP connections. These proxies are implemented both in > C(https://github.com/BII-Lab/DNSoverHTTP > <https://github.com/BII-Lab/DNSoverHTTP>/) and > golang(https://github.com/BII-Lab/DNSoverHTTPinGO > <https://github.com/BII-Lab/DNSoverHTTPinGO>/) > There are maybe other variations in different . Due to there is no specific > standard about DNS over HTTP(s), implementations vary without > interoperability with each other. Some implementations can not fully support > all DNS records. As far as I know, there is no document to address that > issue. So I’m considering if there is any worth to document the current > practice of DNS over http(s) with suggestions to implementation and > operation. If necessary we can also defined/assign some parameters for DNS > over HTTP(s) in the scope of W3C or IANA > So an intuitive thinking is that we can unify some parameters of HTTP > protocol for DNS application. Here is a list of parameters which might need > to be unify as my own concern: > 1. Resource name: To distinguish DNS over HTTP with normal HTTP request, > there should be a unique resource name for DNS over HTTP (there are cases Web > and DNS services are hosted in a same server ). For example, in our proxy > implementation we use “proxy-dns” as resource name to differentiate from > other webpage resources > 2. Content type: To avoid DNS over HTTP request be processed by > unsupported server mistakenly. DNS over HTTP may use a unique sub content > type under content type application. > 3. Return code:(I’m not very sure whether this parameter is necessary) > To indicate client the errors, DNS over HTTP may have a set of return > code(error code). > 4. Post/Get: The server’s behavior to Post and Get method should be > specified. A easy thinking is that the server might return the description of > DNS over HTTP when client use Get method while provide DNS over HTTP service > when client use Post method. > 5. Other parameter : There might be some parameters need be added in DNS > over HTTP’s header, such as Host IP, UDP/TCP (http-proxy usage), > Json/Octet-stream etc . > > Any suggestion please comment. > > Best regards, > Davey > > > ------------------------------ > Davey Song(宋林健) > BII Lab > songlinj...@gmail.com <mailto:songlinj...@gmail.com> > ------------------------------ Davey Song(宋林健) BII Lab songlinj...@gmail.com
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
