
DNS over HTTPS Explained - katzeilla
https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/
======
gumby
The weight of setting up and tearing down an HTTP(S) connection compared to
the lightweight DNS query is barely touched.

~~~
tialaramex
HTTP has keep-alive, you can definitely win for a single UDP DNS query, but
web browsers don't do a single DNS query they often do dozens per page
displayed and HTTPS can make that faster.

The HTTPS connection stays alive but idle for seconds, maybe minutes, and it
always has the capabilities that DNS can only get by punting to TCP, which
requires a round trip.

At the layer above the TLS connection can be brought back quickly from cached
credentials using a PSK

And at the layer above that the TCP connection can do Fast Open so that there
isn't a round-trip there either after the very first session.

------
johnklos
It's presented from a biased point of view. It doesn't discuss the problems
with DoH.

~~~
zamadatix
Most of the "problems" with DoH tend to be implementation based (e.g.
applications individually resolving DNS or corporations assuming if they
intercept UDP 53 they have secured connectivity) not necessarily problems with
DoH.

The main drawback of DoH itself is it moves DNS to a session based service
which causes increases in workload for DNS infrastructure but to be fair the
article does mention that so I'm not sure "it doesn't discuss the problems
with DoH" is totally fair.

~~~
dngray
I use my system resolvers on all my hosts, hand the IP to my unbound DNS
server out and recurse over DoHs, that way everything is doing DoHs even if
the underlying software doesn't implement it. DNSCrypt can do both it's
protocol and DoHs.

[https://wiki.archlinux.org/index.php/Dnscrypt-
proxy#Local_DN...](https://wiki.archlinux.org/index.php/Dnscrypt-
proxy#Local_DNS_cache_configuration)

------
coretx
HTTPS can't be trusted due to nation States both being abusive certificate
authorities and the source of demand for dns censorship. Herefore, DNS over
HTTPS is a bad idea at best. Please think about using dnscrypt or similar
solutions instead.

~~~
tinus_hn
The certificates can be pinned. This is a poor argument against DNS over
HTTPS.

