[dns-operations] A dns-proxy for DNS over HTTP(s)

Paul Vixie paul at redbarn.org
Thu Aug 27 04:06:58 UTC 2015

Mark Delany wrote:
> On 26Aug15, Paul Vixie allegedly wrote:
>> i am specifically not advocating DNS-over-HTTP as anything other
>> than a DNS VPN meant to get clean DNS signal inside hotel rooms and
>> coffee shops who tamper with UDP/53.
> Gotcha. Our goals differ then.
> My point is that DNS-over-TCP/HTTP is viable at Internet scale with
> network latency characteristics similar to UDP with security
> characteristics of TCP.

there's a team working on that over in the IETF DPRIV WG. i think
they're designing with TCPFO.

> The cost is of course server state, but my earlier post is trying to
> suggest that managing large amounts of TCP server state is tractable
> for the traffic profile of a large auth server.

and as long as we don't try to speak the new protocol on TCP/53 without
some kind of default=off negotiation added, i agree that large servers
(roots, tld's) can cope with the new aggregate state load called for by
such a design.

Paul Vixie

More information about the dns-operations mailing list