[dns-operations] need recommendation for filtering outbound HTTPS
Petr Špaček
petr.spacek at nic.cz
Fri May 17 09:51:50 UTC 2019
On 16. 05. 19 20:22, Paul Vixie wrote:
> 2. i have to anti-alias all possible names for any DoH listener address, as
> well as fully enumerating all DoH listener addresses, which can be expected to
> move around via techniques similar to "fast flux" in order to evade blocking.
> i have anti-aliasing powers (DNSDB) but most operators don't. i expect i'll
> have to actually try the DoH (/dns-query URI) with every distant address that
> any of my internal HTTPS-via-proxy initiators want to connect to, in order to
> build my own "whitelist" of listener IP addresses who don't support DoH.
AFAIK /dns-query is not standardized, it can be anywhere else.
--
Petr Špaček @ CZ.NIC
More information about the dns-operations
mailing list