Hacker News new | past | comments | ask | show | jobs | submit login

He is referring to the fact that apps will start ignoring local network DNS config and directly talk to their own hard coded DNS IPs.

I'm guessing the solution to that is to firewall various DNS IPs to force the app to use your local DNS. I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.




> I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.

DoH isn't really going to look like https, the requests and responses are going to be too small.

If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.


> ...only allow connections to IPs that were received by DNS

Works for a home / office setup. I think the main use of DoH is circumventing government enforced censorships, to an extent that it can.

For ISPs to use "packet sizes" they'd need to run stateful firewalls at scale, which is unheard of, and possibly very expensive to run at that scale.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: