[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

Paul Vixie paul at redbarn.org
Thu May 16 17:56:52 UTC 2019

On Thursday, 16 May 2019 06:47:08 UTC Mukund Sivaraman wrote:
> On Thu, May 16, 2019 at 05:46:20AM +0000, Paul Vixie wrote:
> > the holy grail is, listeners who don't support DOH (the /dns-query URI)
> > should be rewarded by not having their traffic decrypted at my network
> > edge, and i never have to force a TLS downgrade on my clients. this
> > requires some kind of selective proxying. i don't think that's simple.
> > does anyone?
> The goal of supporters of DoH is to make interference impossible to
> perform.

their ignorance of private network security policy, and arrogance toward 
anyone whose network does not look like theirs, is thus made evident. we have 
been set a challenge: how will we block DOH in spite of its unblockability 

> When the traffic is indistinguishable, it is going to be very
> difficult or impossible.

it won't be impossible. questions remain as to total cost, but it _will_ be 
done. some of those costs will be collateral damage, end user satisfaction, 
performance, and complexity. other costs will be in hard cold cash.


More information about the dns-operations mailing list