This DNS over HTTP thing

[drc at virtualized.org (David Conrad)]

Jay,

On Oct 1, 2019, at 12:18 PM, Jay R. Ashworth <jra at baylink.com> wrote:
> This is thought to be about security?
> 
> Didn't we already *fix* DNS SECurity?

No.  DNSSEC solves a different problem (being able to verify what you get is what the domain owner published).

DoH (and DoT) encrypt (and authenticate) the application <-> recursive resolver channel (NOT the DNS data) which I gather some view as an attack vector. Mozilla has decided to _also_ redefine the default resolver (unless use-application-dns.net <http://use-application-dns.net/> NXDOMAINs), instead of the resolver (typically) assigned by the ISP, for browser queries.  That last bit is generating a bit of â??discussionâ?? as it can bypass efforts by network operators to modify DNS responses for whatever reason (e.g., protect customers from phishing sites, censoring domain names due in response to court orders, monetizing typos, etc.).

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191001/ccf27141/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191001/ccf27141/attachment.sig>