Hacker News new | past | comments | ask | show | jobs | submit login

DoH is the simple idea that instead of proxying your DNS request to whatever and whoever is configured by the local network operator, usually the ISP, we will proxy it to google under https if you use chrome or cloudflare if you use firefox. (Technically both browsers allow for this setting to be overwritten)

Once the proxied package arrive at google/cloudflare it is back to normal dns operations.

An other way to see it is that DoH is a https based VPN that the browser has chosen for you, but which only proxy dns traffic.

Fixing the dns protocol is what DoT is for, and especially aDoT which would allow in the future for end-to-end encryption between end user and DNS server. Sadly aDoT is only a draft right now, and there is a lot of resistance to the idea of moving away from the caching proxy model.




This is obviously incorrect, right? Google has ad nauseam repeated that they're not shifting Chrome users to Google DNS, but rather upgrading users to DoH iff their current provider supports it. How does that fact not refute your central claim here?


The central claim is that doh operate identical to the communication between the stub resolver and the recursive resolver, and it is simply the client proxying the resolving request to a third party. The specific transport layer, that of https, is basically irrelevant to the security design of the dns protocol itself which is unaware if it got proxied through https, by unencrypted udp packages, or tunneled through a vpn service.

The default behavor of chrome is to automatically use their DoH service if the users broadband ISP supports it. I don't dispute that or intended to comment on it. If my above comment implied something else I am sorry as that was not the intention nor the central message of the comment. The comment was not a critique of googles default choice in chrome, but rather an attempt to explain how DoH relate to the DNS protocol and how aDoT, which is based on DoT, might actually fix the security faults of the dns protocol by enabling end-to-end encryption between the user and the dns server.


The comment you wrote upthread said literally the opposite, both of what you just wrote here, and of the truth, which is, of course, that Google is not in fact redirecting or proxying DNS requests for Chrome users back to Google.


Good thing then that was not the intent.

Do you have anything to say the aspect of proxying dns to a third party, or the possibility of end-to-end encryption in dns?


I think that DoH and DoT do essentially the same thing, and that the only meaningful difference is that DoT was designed with a kill switch for network operators to overrule applications running on computers. As an owner of a computer, I would rather not give AT&T, let alone a random coffee shop or hotel, the ability to disable my secure lookups; obviously, I think DoH is the better plan. Fortunately, it appears to be roflstomping DoT in the marketplace.


DoH and DoT are both using the design of using a third party that is an caching proxy, and neither allow for end-to-end encryption between the client and the authoritative dns server.

With end-to-end encryption there is no kill switch, so that would make it a rather huge practical difference between aDoT and DoT. It also provide confidentiality which is a much better design for privacy than DoH.

As an owner of an computer, are you against end-to-end encryption for dns, or in favor of end-to-end encryption? You comment above does not answer that question.


It is interesting that people have such negative reaction to the idea of end-to-end encryption in dns. I can think of very few other technical areas where having secure communication between the client and server without the involvement of third parties is seen as something bad and who ever suggest it should be shunned.

Given how that is, I wonder how people would react to the idea of using even stronger security like off-the-Record Messaging.


I didn't downvote your comment, because I couldn't even understand it. You advocated for DoT (and extensions to it). I pointed out that DoT and DoH are the same thing. You came back with a non-sequitur about end-to-end encryption.


I am advocating for aDoT, which is not DoT. The "a" letter in the beginning is an important distinction and stands for (a)uthoritative and aDoT is an early rfc draft about communication between a resolver and an authoritative server.

To explain the terminology I use I can source the definitions from RFC 1034. We have "stub", "recursive", and "authoritative" resolvers. A stub resolver sits at clients because in 1987 not every computer had enough computer resources to run a recursive resolver themselves, and stub resolver talks exclusively to recursive resolvers. Recursive resolvers iterative talks to authoritative servers in order to resolve a domain name into a resource record (ip addresses, text, alias and so on), and the recursive resolver return the results to the stub resolver or the computer that host it.

As the RFC specify, there was original two reasons why a machine may want to have a stub resolver and use someone else recursive resolver. One is the above reason that stub resolvers can be used on machines that do not have the computer resources to run a resolver. The second is in order to "centralize the cache for a whole local network or organization.". The preferred way as specified by the RFC is to do the recursive resolving on all machines, but if you want a centralized cache or have machines that do not have enough in terms of 1987 computer resources then there is a option to use a stub resolver.

DoH and DoT is technology to encrypt the traffic between the stub resolver and the recursive resolver. Neither can be used if one follow the recommendation and operate the recursive resolver yourself. DNS between recursive resolving and the authoritative server is in plain text. aDoT fixes this, allowing for encrypted traffic between the recursive resolving and authoritative server. When a client who runs its own recursive resolver can create a encrypted channel between it and the authoritative server, what we have is end-to-end encryption.

If there is a technical concept here you don't under just let me know and I can try to explain it further.


I'm familiar. Obviously, over the long term, DoH is going to make its way to authority services, and subsume the legacy plaintext service. Maybe, because nobody has a strong interest in anti-censorship in recursor-to-authority communications, it'll even be DoT between cache and authority servers; I don't care (though it will be silly to have two different transports for the same fundamental transaction).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: