Hacker News new | past | comments | ask | show | jobs | submit login

DNS don’t serve regular web traffic, so all the request to DNS server can be classified as DNS request. So what does it add on top of DoT?



It's harder to block.


You can run DoT on any port, including 443. Then blocking it gonna be the same as blocking DoH. Why wrap it into HTTP request layer?


DoH makes the request look like a regular HTTPS request, therefore you'd need more sophisticated heuristics to block it.

If you contend that you can match the DoH SNI with a known DoH server and block that, fair enough. However, there's always another unknown DoH server you haven't blocked. Blocking DoT is trivial in comparison, because of its signature on the wire.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: