Path: csiph.com!aioe.org!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: "@lbutlr" <kremels@kreme.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: DoH plugin for BIND
Date: Fri, 1 May 2020 15:51:15 -0600
Lines: 29
Approved: bind-users@lists.isc.org
Message-ID: <mailman.321.1588369873.942.bind-users@lists.isc.org>
References: <85af55bb-1b23-b847-3de9-ffb198bc9fb9@web.de> <20200429074035.GA91269@isc.org> <d08a148f-18f6-1972-1064-2f878b79bee2@nixmagic.com> <alpine.DEB.2.20.2004292100400.16665@grey.csi.cam.ac.uk> <8670427D-C5E5-42E3-AFEB-BA15F74E5F53@kreme.com>
NNTP-Posting-Host: lists.isc.org
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: usenet.stanford.edu 1588369886 16336 149.20.1.60 (1 May 2020 21:51:26 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users <bind-users@lists.isc.org>
Return-Path: <kremels@kreme.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
In-Reply-To: <alpine.DEB.2.20.2004292100400.16665@grey.csi.cam.ac.uk>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <8670427D-C5E5-42E3-AFEB-BA15F74E5F53@kreme.com>
X-Mailman-Original-References: <85af55bb-1b23-b847-3de9-ffb198bc9fb9@web.de> <20200429074035.GA91269@isc.org> <d08a148f-18f6-1972-1064-2f878b79bee2@nixmagic.com> <alpine.DEB.2.20.2004292100400.16665@grey.csi.cam.ac.uk>
Xref: csiph.com comp.protocols.dns.bind:15698

On 29 Apr 2020, at 14:19, Tony Finch <dot@dotat.at> wrote:
> DoT is easier since you only need a raw TLS reverse proxy, and there =
are
> lots of those, for example, nginx:

DOH is better because it cannot be blocked without blocking all https =
traffic.

(FSVO of better, of course. I am sure there is a vi/emacs space/tab =
trek/wars religious canonical war here, but being able to guarantee =
access to secure DNS is definitely better for users).

All that its need to subvert DoT is to block port 853.

If DoT takes off, I expect all US ISPs to block port 853 universally. =
There=E2=80=99s nothing they can do about DoH.

Not that it is all sunshine and rainbows in DoH-land, of course. Use of =
cookies is =E2=80=9Cdiscouraged=E2=80=9D but not prevented, most =
obviously.




--=20
'You're your own worst enemy, Rincewind,' said the sword. Rincewind
	looked up at the grinning men. 'Bet?' --Colour of Magic