[dns-operations] need recommendation for filtering outbound HTTPS

Petr Špaček petr.spacek at nic.cz
Fri May 17 09:51:50 UTC 2019

On 16. 05. 19 20:22, Paul Vixie wrote:
> 2. i have to anti-alias all possible names for any DoH listener address, as 
> well as fully enumerating all DoH listener addresses, which can be expected to 
> move around via techniques similar to "fast flux" in order to evade blocking. 
> i have anti-aliasing powers (DNSDB) but most operators don't. i expect i'll 
> have to actually try the DoH (/dns-query URI) with every distant address that 
> any of my internal HTTPS-via-proxy initiators want to connect to, in order to 
> build my own "whitelist" of listener IP addresses who don't support DoH.

AFAIK /dns-query is not standardized, it can be anywhere else.

Petr Špaček  @  CZ.NIC

More information about the dns-operations mailing list