On 10/28/23 3:13 AM, John Levine wrote:
It appears that Michael Thomas <m...@mtcc.com> said:
If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead. But it's
a reasonable default to keep malware out of Grandma's iPad.
How does this line up with DoH? Aren't they using hardwired resolver
addresses? I would hope they are not doing anything heroic.
Generally, no. I believe that Chrome probes whatever resolver is configured
into the system and uses that if it does DoH or DoT.
At one point Firefox was going to send everything to their favorite
DoH resolver but they got a great deal of pushback from people who
pointed out that they had policies on their networks and they'd have
to ban Firefox. Firefox responded with a lame hack
where you can tell your cache to respond to some name and if so
Firefox will use your resolver.
That's probably what I'm remembering with Firefox. But doesn't probing
the local resolver sort of defeat the point of DoH? That is, I really
don't want my ISP to be able to snoop on my DNS history. Sending it off
to one of the well known resolvers at least gives me a chance to know
whether they are evil or not because there aren't very many of them vs
every random ISP out there. Since nobody but people like us know about
those resolvers it seems to me that without preconfiguration meaningful
DoH is pretty limited?
Or maybe I just don't understand what problem they were trying to solve?
Mike