[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

Mukund Sivaraman muks at mukund.org
Thu May 16 06:47:08 UTC 2019

On Thu, May 16, 2019 at 05:46:20AM +0000, Paul Vixie wrote:
> On Monday, 13 May 2019 02:31:31 UTC Grant Taylor wrote:
> > There's always a TCP Reset and then not interfering with the next
> > packets between the two IPs.
> this is the most interesting idea i've heard, and i'm thinking hard about it.
> the second most interesting idea i've heard is dnsfire:
> 	https://github.com/wupeka/dnsfire

This is a clever idea. There are popular applications that don't use
DNS.  For an app such as Telegram, its "datacenters" [1] have a fixed
set of addresses that can be whitelisted, but there are others like
Bittorrent's DHT (Kademlia) where the addresses are not a fixed set. Any
address based peer to peer activity such as SIP will be affected.

If the filtering is limited to TCP port 443, the approach seems
promising as almost nothing popular is going to use TLS without DNS
(Telegram is still an exception). It seems cleverly thought of.

1. https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/jni/tgnet/ConnectionsManager.cpp#L1590

> the holy grail is, listeners who don't support DOH (the /dns-query URI) should 
> be rewarded by not having their traffic decrypted at my network edge, and i 
> never have to force a TLS downgrade on my clients. this requires some kind of 
> selective proxying. i don't think that's simple. does anyone?

The goal of supporters of DoH is to make interference impossible to
perform. When the traffic is indistinguishable, it is going to be very
difficult or impossible.


More information about the dns-operations mailing list