[dns-operations] A dns-proxy for DNS over HTTP(s)

Paul Vixie paul at redbarn.org
Thu Aug 27 03:05:35 UTC 2015

Mark Delany wrote:
> On 26Aug15, Paul Vixie allegedly wrote:
>> you had me until that last part. DNS-over-HTTPS, crude and suppurating
>> hack that it is, would not even be aware of TCPCT under its covers.
> I was merely pointing out that SSL state is not as compressible as TCP
> state. By orders of magnitude. I wasn't advocating anything.

ah. i'm not worried about ssl state in this example. DNS-over-HTTP uses libcurl's "keep open" knob, so connections aren't closed until they've been idle for some period of time. that period of time is long enough to amortize the cost of the ssl state negotiation being thrown away.

the only points in time when TCP state needs compression in the DNS-over-HTTP model are (1) during the interval from SYN-ACK to ACK (when the server has no state because the SYN cookie of the ACK will have enough data to recreate the TCB) and (2) the interval between the FIN-ACK (which is in TCP strictly advisory) and a future SYN (when compressed state gives you a MaxWnd so that you don't have to re-enter slow-start.)

i wasn't advocating anything either, just trying to keep the record straight WRT costs + constraints. i am specifically not advocating DNS-over-HTTP as anything other than a DNS VPN meant to get clean DNS signal inside hotel rooms and coffee shops who tamper with UDP/53.

Paul Vixie

More information about the dns-operations mailing list