[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
Mukund Sivaraman
muks at mukund.org
Fri May 17 03:58:41 UTC 2019
Hi Grant
On Thu, May 16, 2019 at 08:55:20PM -0600, Grant Taylor wrote:
> I've got to say, that Witold's responses seem perfectly reasonable for a
> project of this type still in development.
>
> On 5/16/19 12:37 PM, Witold Krecicki wrote:
> > Latency - if we add the rule to iptables too late the user experience is
> > much worse (been there, done that),
>
> Would you please elaborate on "too late". Do you mean too many other rules
> that get processed before the rule for dnsfire?
If a path to the peer is not opened at the firewall before the DNS
response is received by the client, the client may race ahead and
attempt a SYN to the peer before the firewall is ready, which will get
blocked.
The resolver would have to synchronously ensure a hole has been punched
in the firewall for the answer it is returning before returning the
answer to the client.
Mukund
More information about the dns-operations
mailing list