[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
Paul Vixie
paul at redbarn.org
Thu May 16 17:56:52 UTC 2019
On Thursday, 16 May 2019 06:47:08 UTC Mukund Sivaraman wrote:
> On Thu, May 16, 2019 at 05:46:20AM +0000, Paul Vixie wrote:
...
> > the holy grail is, listeners who don't support DOH (the /dns-query URI)
> > should be rewarded by not having their traffic decrypted at my network
> > edge, and i never have to force a TLS downgrade on my clients. this
> > requires some kind of selective proxying. i don't think that's simple.
> > does anyone?
>
> The goal of supporters of DoH is to make interference impossible to
> perform.
their ignorance of private network security policy, and arrogance toward
anyone whose network does not look like theirs, is thus made evident. we have
been set a challenge: how will we block DOH in spite of its unblockability
goals?
> When the traffic is indistinguishable, it is going to be very
> difficult or impossible.
it won't be impossible. questions remain as to total cost, but it _will_ be
done. some of those costs will be collateral damage, end user satisfaction,
performance, and complexity. other costs will be in hard cold cash.
--
Paul
More information about the dns-operations
mailing list