Talk:DNS over HTTPS/Archive
This is an archive of past discussions about DNS over HTTPS. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Protocols
I've added protocols, where known, to the table. The Google and Mozilla cases are clear-cut, but I don't know what protocol CleanBrowsing's DoH server uses, so I've marked it as "unknown" for now. -- The Anome (talk) 10:01, 4 June 2018 (UTC)
DNS over HTTPS - Public DNS Servers
This page lists information that is also listed at the page Public recursive name server. Might be better to refer to this list from the DoH article, instead of repeating information here. I've suggested a new structure for the public name server list (see Talk:Public_recursive_name_server), if the structure can be implemented it would be fine to delete the list here and add a reference instead. --BlackEyeGalaxy (talk) 15:31, 1 August 2018 (UTC)
New internet-draft: Considerations for Operator Networks
Should the article quote some of the privacy and security challenges mentioned in this recently published Internet-Draft? Leoloewe (talk) 18:52, 9 March 2019 (UTC)
- I fixed your URL .... Wefa (talk) 19:21, 4 July 2019 (UTC)
Slow servers
I find that claim about slow servers in the lede obnoxious. It is not very well supported by its source (interview claim w/o underlying sources), it contains several weasel words and its goes against all we know about DNS. Typical ISP servers have cache hit rates well beyond 90%, and answers from cache take minimal time. The latency determinant is the network latency, which will neraly always be worse for google or cloudflare than for the local ISP's DNS server. Furthermore the source (the guy interviewed) is essentially the Inventor of this protocol and thus anything but NPOV. I propose to remove that paragraph from the lede. Wefa (talk) 19:21, 4 July 2019 (UTC)
Performance
I think The Register has taken Patrick McManus out of context a little here. DNS over HTTPS doesn't speed up DNS requests (in fact it actually slows them down compared to DNS over UDP), shifting them to faster infrastructure does. We should be able to find sources that articulate this a little clearer. TheDragonFire (talk) 12:08, 26 February 2019 (UTC)
- This depends on the implementation, newer HTTP versions like HTTP/2 and HTTP/3 mean HTTPS is actually faster than plaintext transmissions as they're only available for HTTPS. FozzieHey (talk) 17:35, 27 June 2020 (UTC)
Information disclosed in plain-text DNS is also available in other plain-text communications
The section DNS_over_HTTPS#Information_disclosed_in_plain-text_DNS_is_also_available_in_other_plain-text_communications seems to be a criticism of other technologies and not DNS over HTTPS itself. I propose it is removed. Jdee4 (talk) 13:06, 5 July 2020 (UTC)
Shifting origin of trust
I don't see the point of this section. The same would apply to HTTPS, when you connect to example.com over HTTPS you still have to trust the operator of example.com. This isn't relevant to DoH as it's aimed at protecting DNS queries in transit, not from the server who responds to them. FozzieHey (talk) 20:51, 4 July 2020 (UTC)
- I agree with removing this. I also think another criticism is invalid, new section below. Jdee4 (talk) 13:07, 5 July 2020 (UTC)
- I think the section title "Criticism" is not accurate, and I suggest renaming it to "Challenges of DoH deployment" or "Compatibility/Interoperability concerns" or "Caveats". Now, when these challenges are considered and resolved, these are not "criticisms" but compatibility considerations.
- I think the section was titled "Criticisms" when DoH was still in its infancy and some stakeholders wanted to raise awareness of these interoperability issues (were afraid of things breaking). For example, Comcast (ISP) was fighting Mozilla (developers of Firefox) and Google (developers of Google Chrome) over DoH: there were letters to congress[1], sometimes even nasty accusations and lobbying. And then, recently Mozilla and Comcast partner on DoH: Comcast resolvers support DoH and Mozilla accepts Comcast into the "trusted resolver program".[2] Also recently (in Chrome 83), Google implemented a DoH detection mechanism and enables DoH only if default resolver specifically supports it (Comcast is specifically mentioned as "auto-upgradable").[3]
- [1] From Mozilla (against Comcast) https://blog.mozilla.org/blog/2019/11/01/asking-congress-to-examine-isp-data-practices/
- From Comcast (against primarily Google, but also Mozilla) https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data
- [2] https://www.fiercetelecom.com/telecom/comcast-first-isp-to-sign-up-for-mozilla-s-trr-program
- [3] https://www.chromium.org/developers/dns-over-https
- I think this section is useful and is supported by significant number of third-party sources, but it requires some work.
- Anton.bersh (talk) 15:42, 5 July 2020 (UTC)
- I also get the impression these criticisms are largely baseless and written by people who want to see DNS over TLS implemented in preference to DoH. Some of the alleged criticisms such as DoH not fixing SNI data leakage apply equally to both DoH and DoT. Jdee4 (talk) 22:28, 5 July 2020 (UTC)
Article comparison with DNS over TLS
Despite recent edits, there is still a negative bias towards DNS over HTTPS in this article which is not present in the article DNS over TLS. There is really no difference between the two in functional terms and any criticism for one can be fairly leveled at the other. Further work is needed to make sure criticisms are replicated on both articles (e.g. bypassing of parental controls) or removed as invalid. Jdee4 (talk) 12:10, 21 July 2020 (UTC)
- You can add it to the other article if you want. The fact is that DoH has way more support than DoT which means it's Wikipedia article is going to be more detailed, perhaps we should consider merging DoT into DoH. FozzieHey (talk) 12:11, 21 July 2020 (UTC)
- I think merging is work investigating, since they are so similar. I'm not sure what the title would be though, DNS Encryption perhaps? Jdee4 (talk) 12:24, 21 July 2020 (UTC)
Notability? Several items in software support section are not clearly notable
Today I was cleaning up the DOH page and noticed that these three pieces of software listed under "Software Support" do not appear to me to meet the WP:Notability test. They do not have their own Wikipedia pages and seem to mostly be new software that people are creating. While it is awesome that people are developing these programs, Wikipedia is NOT a place to provide listings of software. The items listed need to also pass the WP:Notability test.
Does anyone else believe these items below are notable enough to be listed? If so, please reply here. Thanks! -Dyork (talk) 21:00, 20 July 2020 (UTC)
YogaDNS
In 2019 Initex, the Russian developer of Proxifier app, made first beta release of YogaDNS for Windows. In 2020 it is still in beta phase. It includes system wide support for DNS over HTTPS, DNS over TCP, and secure dns (ssdns). Additional features are adding hosts file, log to screen and file, using several DNS servers at once, and making rules which domains to resolve over which server with prioritizing ability. This app only works on Windows 7 and later and is closed source.
Acrylic DNS Proxy
In 2019 Acrylic added support for DoH next to its existing support for DNS over TCP, UDP, and SOCKS5. The app is available in installable and portable edition. This app works on Windows XP and later.
Nebulo
Nebulo is app for DoH support for Android. It works as VPN service app, just like many DNS and VPN apps. It is still in beta phase.
dnscrypt-proxy
dnscrypt-proxy was the first mainstream opensource client implementation of the DoH specification. The software already implemented DNS encryption using the DNSCrypt protocol, along with features such filtering and caching, and version 2 had been designed from the ground up to support additional protocols. DoH support was added when the first draft was published, and kept being updated immediately after new revisions were made. DNS Stamps, a specification to encode a set of parameters to connect to DoH servers as a short string, was designed. Simultaneously, the DNSCrypt organization responsible for the project developed an opensource DoH server, and deployed the doh.crypto.sx service, demonstrating that DoH could work over a CDN (Cloudflare). Cloudflare announced their own DNS and DoH service a couple weeks later.
- I agree. I also don't think dnscrypt-proxy is notable either, especially considering all the major OS's and browsers have, or are getting native DoH implementations. Jdee4 (talk) 21:16, 20 July 2020 (UTC)
- @Dyork and Jdee4: I agree as well, I was actually considering removing them myself earlier today since their sections didn't have any references. I'd definitely prefer just paring the support section down to major operating systems and web browsers and not listing off every utility and proxy client that implements it, unless someone can come up with actual sources for them that pass WP:GNG. Nathan2055talk - contribs 21:38, 20 July 2020 (UTC)
- @Nathan2055 and Jdee4: - I also agree with all those edits. The software support section looks much better now. Thanks for those edits. The only other category of software I could see adding in here would be DNS servers and recursive resolvers such as Unbound, BIND, Knot, etc., as they include support for DOH. That could be useful for developers looking to understand which DNS software they could use to add DOH to their product / distribution / etc. - Dyork (talk) 01:42, 22 July 2020 (UTC)
- @Dyork: I was considering that too, but the list will start to get very long then. Perhaps a better place for adding such detail is here: Comparison_of_DNS_server_software. Jdee4 (talk) 12:17, 22 July 2020 (UTC)
- @Jdee4: - Ah, good point! I was not aware of the Comparison_of_DNS_server_software page before (although it makes total sense that Wikipedia would have one!). I agree that it might make more sense to add a DOH column to the comparison matrix there. (And then once that is done, a note could be added here on the DOH page pointing people over to that comparison matrix.) - Dyork (talk) 01:14, 23 July 2020 (UTC)
- @Dyork:That got me thinking that Comparison_of_web_browsers should include DoH too so I've added a column to the matrix there. Jdee4 (talk) 13:49, 23 July 2020 (UTC)
- @Jdee4: - That looks great on that comparison of browsers. Thanks for adding that! - Dyork (talk) 01:38, 24 July 2020 (UTC)
- @Dyork:That got me thinking that Comparison_of_web_browsers should include DoH too so I've added a column to the matrix there. Jdee4 (talk) 13:49, 23 July 2020 (UTC)
- @Jdee4: - Ah, good point! I was not aware of the Comparison_of_DNS_server_software page before (although it makes total sense that Wikipedia would have one!). I agree that it might make more sense to add a DOH column to the comparison matrix there. (And then once that is done, a note could be added here on the DOH page pointing people over to that comparison matrix.) - Dyork (talk) 01:14, 23 July 2020 (UTC)
- @Dyork: I was considering that too, but the list will start to get very long then. Perhaps a better place for adding such detail is here: Comparison_of_DNS_server_software. Jdee4 (talk) 12:17, 22 July 2020 (UTC)
- @Nathan2055 and Jdee4: - I also agree with all those edits. The software support section looks much better now. Thanks for those edits. The only other category of software I could see adding in here would be DNS servers and recursive resolvers such as Unbound, BIND, Knot, etc., as they include support for DOH. That could be useful for developers looking to understand which DNS software they could use to add DOH to their product / distribution / etc. - Dyork (talk) 01:42, 22 July 2020 (UTC)
- @Dyork and Jdee4: I agree as well, I was actually considering removing them myself earlier today since their sections didn't have any references. I'd definitely prefer just paring the support section down to major operating systems and web browsers and not listing off every utility and proxy client that implements it, unless someone can come up with actual sources for them that pass WP:GNG. Nathan2055talk - contribs 21:38, 20 July 2020 (UTC)
DoH and 5G
It is stated in the page that DoH has interoperability problems with 5G but I cannot find a source. Could someone further elaborate this claim? Eutampieri (talk) 11:33, 21 July 2020 (UTC)
- 5G is mentioned here but doesn't go into detail: https://www.zdnet.com/article/dns-over-https-google-hits-back-at-misinformation-and-confusion-over-its-plans/ Jdee4 (talk) 11:44, 21 July 2020 (UTC)
- The claim that there are problems with 5G and DoH compatibility are not substantiated, as far as I see. These are just statements like "we didn't bother to test it so if anything breaks it's someone else's fault!" In reality, all major DNS consumers (Firefox, Chrome, Microsoft products) pledged to use DoH in backwards-compatible manner. -Anton.bersh (talk) 22:13, 23 August 2020 (UTC)
- I also don't see how 5G can affect DoH. 5G is no different than 4G in it's use of the HTTP protocol. FozzieHey (talk) 22:16, 23 August 2020 (UTC)
- The claim that there are problems with 5G and DoH compatibility are not substantiated, as far as I see. These are just statements like "we didn't bother to test it so if anything breaks it's someone else's fault!" In reality, all major DNS consumers (Firefox, Chrome, Microsoft products) pledged to use DoH in backwards-compatible manner. -Anton.bersh (talk) 22:13, 23 August 2020 (UTC)