nalini elkins wrote on 2019-03-11 10:26:
Tiru,
Thanks for your comments.
> Enterprise networks are already able to block DoH services,
i wonder if everyone here knows that TLS 1.3 and encrypted headers is
going to push a SOCKS agenda onto enterprises that had not previously
needed one, and that simply blocking every external endpoint known or
tested to support DoH will be the cheaper alternative, even if that
makes millions of other endpoints at google, cloudflare, cisco, and ibm
unreachable as a side effect?
CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24, which i
blocked already (before DoH) so that's not a problem. but if google
decides to support DoH on the same IP addresses and port numbers that
are used for some API or web service i depend on, that web service is
going to be either blocked, or forced to go through SOCKS. this will add
considerable cost to my network policy. (by design.)
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop