DNS over HTTPS in Firefox

Posted Jun 8, 2018 23:09 UTC (Fri) by fratti (guest, #105722)
In reply to: DNS over HTTPS in Firefox by mcmanus
Parent article: DNS over HTTPS in Firefox

Hi,

a lot of these arguments appear to try pushing DoH claiming the inferiority of real-world deployments of UDP DNS protocols, not actual inferiority of the protocol itself. I don't think this is fair, of course if you say "Yes, we at Cloudflare and Mozilla are going to deploy this better," it'll be a better deployment in the real world. That, however, does not make DoH a good idea, because you didn't fix the existing stacks, you made an overengineered new stack that is not more performant on the protocol level, but just on the implementation level. If you're going to take over both the protocol and the implementation, why not do it properly in both areas? Why not DTLS? Why HTTP?

DNS over HTTPS in Firefox

Posted Jun 8, 2018 23:57 UTC (Fri) by excors (subscriber, #95769) [Link]

> Why not DTLS? Why HTTP?

https://bitsup.blogspot.com/2018/05/the-benefits-of-https... seems to answer that.

DNS over HTTPS in Firefox

Posted Jun 9, 2018 4:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

I spent an inordinate amount of time trying to make sure that an UDP-only DNS server can work in the current Internet, with IPv6. Purely out of engineering sense - DNS should be stateless and connectionless.

Well, it failed miserably. With DNSSEC you are routinely looking at replies that are greater than 1500 bytes long. IPv4 fragmentation usually saves the day (though it's slowly getting more and more broken) but with IPv6 it's a complete non-starter.

There are two ways to fix it:
1) Make DNS great^W small again. ECC instead of RSA basically fixes it for _most_ cases, but not all.

2) Just forget about all this stateless nonsense and go full-metal-stateful. This way you can utilize all the advances made by browsers, in particular QUIC and TLS 1.3. They allow zero-RTT connection initiation, at the cost of stored data.