[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

Mukund Sivaraman muks at mukund.org
Fri May 17 03:58:41 UTC 2019

Hi Grant

On Thu, May 16, 2019 at 08:55:20PM -0600, Grant Taylor wrote:
> I've got to say, that Witold's responses seem perfectly reasonable for a
> project of this type still in development.
> On 5/16/19 12:37 PM, Witold Krecicki wrote:
> > Latency - if we add the rule to iptables too late the user experience is
> > much worse (been there, done that),
> Would you please elaborate on "too late".  Do you mean too many other rules
> that get processed before the rule for dnsfire?

If a path to the peer is not opened at the firewall before the DNS
response is received by the client, the client may race ahead and
attempt a SYN to the peer before the firewall is ready, which will get

The resolver would have to synchronously ensure a hole has been punched
in the firewall for the answer it is returning before returning the
answer to the client.


More information about the dns-operations mailing list