Hacker News new | past | comments | ask | show | jobs | submit login

More information: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-pr...

According to this page:

- you can already test this right now

- you can provide your own server

And some more: https://en.wikipedia.org/wiki/DNS_over_HTTPS




> - you can provide your own server

Nobody will do this except for maybe 5 individuals and a few dozen cooperations simply because there are no other public DoH servers around.


Many already run their own resolvers, so providing DNS-over-HTTPS proxy is not a problem.

What is THE problem, is configuring the browser. No one is going to reconfigure their browser after each connection to a different network. There's a reason why we moved from static configuration towards DHCP, which can configure network-specific settings. DNS is a network-specific setting, and Mozilla is breaking it.


That’s really the issue I think, has to be a public server if it’s going to work for mobility.

Fixed desktops maybe, but a laptop or phone?


Split horizon was always a bad hack, there has always been alternatives. DoH could be used on the default DNS servers too, there is value of encrypted DNS on LAN as well.


> Split horizon was always a bad hack, there has always been alternatives.

I always see this repeated as a mantra, but never it's rationale. No company is going to advertise their internal infrastructure needlessly. There's no upside in the world knowing that your _kdc._tcp.company.com is 192.168.10.20; but there are downsides.

> DoH could be used on the default DNS servers too, there is value of encrypted DNS on LAN as well.

Sure, but hardcoding or statically-configuring the value is not the way. LANs need to have their DHCP tags respected. If one of them is "use this URL for DoH-server", that's fine.


No other public resolver?

https://developers.google.com/speed/public-dns/docs/dns-over... https://ripe76.ripe.net/on-site/technical-information/dns-ov...

The DNScrypt project has a longer list here:

https://download.dnscrypt.info/resolvers-list/v2/public-reso...

Keep in mind that this is currently all pretty much experimental.


Many corporations will choose to run their own resolvers for internal services.

Home/small business router vendors already include DNS resolvers on the boxes they sell which work to automatically provide hostnames for addresses that they've served up with DHCP.


> - you can provide your own server

How do I RUN my own server? A few minutes of Googling hasn't revealed any DNS-over-HTTPS server that appears production-ready.


There are a lot of wrappers that you can use to provide a TLS proxy to an existing resolver,a few are listed at the bottom of this page:

https://github.com/curl/curl/wiki/DNS-over-HTTPS


You don't need DoH for that. Just use a VPN and configure it to replace your host's resolver as long as it is up.

Another advantage of using standard UDP-based DNS over a UDP-based VPN is that it can reorder packets in flight, so it should have lower latency than anything TCP-based.


The counterpoint is that traditional DNS has horrendous loss recovery and basically no congestion control and these things definitely benefit DoH at the tail.

QUIC will let us have it both ways (and as QUIC has an HTTP definition, its basically a free upgrade for DoH).


Sure, I don't NEED it right now, but it feels like DNS-over-HTTPS will become non-optional at some point.

I hope I'm wrong about that, but I'd like to prepare a little bit in case I'm right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: