DNS-over-HTTPS

&gt; Currently, web-based applications must use browser extensions to take advantage of advanced DNS features such as DANE, DNS-SD service discovery, or even to look up anything other than IP addresses. Extensions for features that depend on DNSSEC must validate it themselves, as the browser and the OS may not (be able to) validate DNSSEC.<p>If only there were some way for Google to let people take advantage of advanced DNS features without requiring browser extensions ... alas, they&#x27;d probably need to add that code to a web browser. But then, where would they find a web browser they could add such code to? Ah well. Google should ask those web browser vendors why they won&#x27;t implement DNSSEC, at least. Maybe start with asking the browser with the highest market share, whichever that one is.

I find it somewhat amusing that in order to use DNS-over-HTTPS you must first resolve a domain using &quot;normal&quot; DNS (dns.google.com). You&#x27;d think they&#x27;d go ahead and publicly advertise a static IP for that so you can use it without relying on normal DNS.

DNSCurve solved this years ago: <a href="http:&#x2F;&#x2F;dnscurve.org" rel="nofollow">http:&#x2F;&#x2F;dnscurve.org</a> , with implementation notes here: <a href="https:&#x2F;&#x2F;dnscurve.io" rel="nofollow">https:&#x2F;&#x2F;dnscurve.io</a>

&gt; (including DNS-based Internet filtering)<p>What guarantees that they wouldn&#x27;t start filtering URLs on their own (upon request by DMCA, or FBI)?<p>I do get that they say what they log ( <a href="https:&#x2F;&#x2F;developers.google.com&#x2F;speed&#x2F;public-dns&#x2F;privacy" rel="nofollow">https:&#x2F;&#x2F;developers.google.com&#x2F;speed&#x2F;public-dns&#x2F;privacy</a> ), yet if in case this ever does become a _commonplace_ thing, they&#x27;d be easily able to obtain IP addresses of users trying to access blacklisted websites, and hand them over to officials (upon request, maybe?).

We did the same thing w&#x2F; JSON responses: <a href="https:&#x2F;&#x2F;www.openresolve.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.openresolve.com&#x2F;</a><p>This is a bad idea outside of experimentation. Not to be used for production.<p>If you want to secure DNS look at QUIC, TLS, or my favorite, DNSCrypt (which I funded).

I&#x27;ve actually just written a blogpost about it. <a href="http:&#x2F;&#x2F;www.dmitry-ishkov.com&#x2F;2016&#x2F;09&#x2F;dns-over-https.html" rel="nofollow">http:&#x2F;&#x2F;www.dmitry-ishkov.com&#x2F;2016&#x2F;09&#x2F;dns-over-https.html</a> You can run a local DNS server which is gonna use Google&#x27;s DNS-over-HTTPS. But as eridius noticed you still have to resolve dns.google.com

Why can&#x27;t you just send DNS messages over an SSL&#x2F;TLS socket? What&#x27;s the value add for http and REST?

Pretty cool, DNS as an API:<p>- JSON: <a href="https:&#x2F;&#x2F;dns.google.com&#x2F;resolve?name=doma.io" rel="nofollow">https:&#x2F;&#x2F;dns.google.com&#x2F;resolve?name=doma.io</a><p>- Web interface: <a href="https:&#x2F;&#x2F;dns.google.com&#x2F;query?name=doma.io&amp;type=A&amp;dnssec=true" rel="nofollow">https:&#x2F;&#x2F;dns.google.com&#x2F;query?name=doma.io&amp;type=A&amp;dnssec=true</a>

nice toy, but there are some things to be considered:<p>1) &quot;secure DNS&quot; is a solved problem 2) DNS is simple 3) responses normally easily fit inside one packet 4) DNS is fast<p>HTTPS is a slow, wordy and inefficient protocol. Forcing everything into JSON just compounds the problem.

HTTP-over-DNS would also be neat :) I think I would be able to get internet access in some airports if I had HTTP-over-DNS

Why doesn&#x27;t Google include the entire DNSSEC signature chain in the response? Their current approach to DNSSEC validation seems quite weak. Sure, I can query them and get an answer with AD set, but then I need to trust that they didn&#x27;t tamper with the response.

The &quot;web&quot; is becoming hack upon hack upon hack.

DNS doesn&#x27;t seem very well secured against determined attackers. But at the same time I almost never hear about attacks done via DNS spoofing. So I guess it harder to attack than I think.

Sometimes I think we should all take the Apple approach to this kind of things and deprecate old stuff and&#x2F;or make new stuff mandatory.<p>We could just force DNS extensions to be implemented in most&#x2F;all client&#x2F;server implementations.<p>DNS over HTTPS might be okay and work well, but imho is a (smart?) workaround, not a fix.<p>Why can&#x27;t we all set a time window (7.5 years? 10 years? 15 years?) to plan massive RFC&#x2F;protocols updates with possibly-breaking changes?<p>Edit:fix grammar (not native speaker of English)

What&#x27;s the purpose of explicitly specifying the &quot;random_padding&quot; parameter? Couldn&#x27;t the client send any arbitrary unused query argument as padding?

Why not DNS over TLS? <a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc7858" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc7858</a>

Shameless plug (again): <a href="https:&#x2F;&#x2F;github.com&#x2F;pforemski&#x2F;dingo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pforemski&#x2F;dingo</a>

You know, I&#x27;ve had thoughts along similar lines in the email space (SMTP). HTTP is such a fantastic protocol and an amazing amount of engineering effort has gone into it compared to SMTP. I&#x27;ve wondered whether there would be any interest in defining a translation from SMTP into HTTP, with an eye toward eventually deprecating SMTP in the fullness of time.<p>For example, to send an email, perhaps you just send an HTTP POST request to a canonical endpoint (email.example.com), instead of all the rigamarole that SMTP servers require with a unique text protocol requiring multiple round trips. Have you seen the number of SMTP commands involved in sending a <i>single</i> email? Here&#x27;s an abbreviated transcript of what it&#x27;s like to send an email using `telnet`:<p><pre><code> # Wait for banner from server (RT #1) 220 email-inbound-relay-1234.example.com ESMTP Sendmail 1.0.0; Thu, 29 Sep 2016 19:22:12 GMT # Send EHLO and wait for reply (RT #2) EHLO example.com 250-email-inbound-relay-1234.example.com Hello ws-1.example.com [1.2.3.4], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN ... 250 HELP # At this phase you should really send STARTTLS and negotiate a TLS connection, # but we&#x27;ll just ignore that for now and proceed plaintext. # Specify sender (RT #3) MAIL FROM: jcrites@example.com 250 2.1.0 jcrites@example.com... Sender ok # Specify recipient (RT #4) RCPT TO: jcrites@example.net 250 2.1.5 jcrites@example.net... Recipient ok # Specify message headers and content (RT #5) DATA 354 Enter mail, end with &quot;.&quot; on a line by itself Subject: Hello, world! Fun stuff . # Wait for reply (RT #6) 250 2.0.0 u8U1LC1l022963 Message accepted for delivery </code></pre> Furthermore, if you skip these steps or front-run them, some servers will consider that suspicious or spammy behavior. (RFC 2920 properly allows this as an extension called pipelining, advertised in the EHLO reply above.)<p>With full use of SMTP extensions, things are a bit better than I imply but still frustratingly suboptimal. For example, I&#x27;ve run across ISPs who purely for their own load management reasons want to close an SMTP session at the TCP level after an arbitrary number of emails have been sent (N &lt; 100)! Why would they desire that? If we&#x27;re going to exchange more messages, then it&#x27;s certainly <i>less</i> efficient for us both to negotiate a new TCP session and TLS session, rather than reuse the one we already have, but such is the practice of email. So message sending often can be as inefficient as this. When sending to some ISPs worldwide it&#x27;s not uncommon for a single message to take seconds to deliver under normal network conditions.<p>How about we replace all of that with an HTTP POST to email.example.com, specifying the email headers and content with the POST body, and the sender and recipient as headers or querystring parameters? I think it&#x27;d be nice to get there eventually rather than drag SMTP on forever. All of the effort that goes into HTTP clients, servers, and security could benefit the email community as well.<p>Proper TLS security is still nascent in SMTP -- only because of Google&#x27;s actions with Gmail and their Safer Email [1] initiative has TLS really come into widespread adoption at all. Today, although a lot of email is <i>nominally</i> taking place over TLS, most clients are not involving any sort of path validation and the connections are susceptible to MITM; and email clients don&#x27;t specify client TLS certificates nor do servers examine them. If we were to employ it, TLS client certificate authentication could be an effective way to prevent email forgery, e.g., require email from example.com to be sent from a client with a TLS certificate for that domain. This kind of thing would be much easier to achieve in the HTTP world than in the SMTP world. We could also take advantage of HTTP&#x2F;2 pipelining to efficiently deliver a lot of traffic across just one TCP connection.<p>We&#x27;d still need <i>most</i> of the effort invested into email, such as all of the effort fighting abuse, and mail servers would still need to buffer outbound messages and authenticate inbound ones, etc. (and we&#x27;d still need SPF, DKIM, DMARC) but at least it would simplify the foundational and protocol-level work, like what&#x27;s involved in bootstrapping a new email client or server from scratch. You could write basic code to send an email in a few minutes using an HTTP library in any language. SMTP is pretty well entrenched, however, and the incremental benefit is probably not large enough, so I don&#x27;t have my hopes up.<p>[1] <a href="https:&#x2F;&#x2F;www.google.com&#x2F;transparencyreport&#x2F;saferemail&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;transparencyreport&#x2F;saferemail&#x2F;</a>

DNS-over-QUIC would be a much more compelling technical proposal from Google as a standard

This won&#x27;t be overly useful (to me) unless&#x2F;until the system resolver supports this <i>and</i> I can implement this on my own DNS server(s). Seems like a good idea, though.

So to resolve a domain to an IP address without using regular DNS they have opted to use HTTPS which really requires a certificate to be signed against a domain via DNS.

I think this could be more useful if there was a local client that installs and proxies. E.g., A traditional query to localhost:53 gets translated to DNS-over-HTTPS.

I wonder what the performance hit of something like this would be. It seems like the ssl connection would be a bottle neck for the page load.

This is great, but google doesn&#x27;t need to eavesdrop on us when they compel us to use their avenues for our every action.

Is there a matrix of X-over-Y implementations? I would assume that we are converging to a fully filled matrix.

Why do I need dns over http?

That&#x27;s fantastic. Wondering why this hasn&#x27;t happened before?

I find it amusing that they chose apple.com for the example.

httpresolver.py implements DNS over HTTPS in a fork of Paul Chakravarti&#x27;s dnslib. I have it running as a resolver for my Mac using the command:<p>sudo python3 httpresolver.py<p>Have a play with <a href="https:&#x2F;&#x2F;bitbucket.org&#x2F;tony_allan&#x2F;dnslib" rel="nofollow">https:&#x2F;&#x2F;bitbucket.org&#x2F;tony_allan&#x2F;dnslib</a>

Why is this news? Any protocol can (usually trivially) be tunneled over http(s).

Great idea! Even more leverage for a DDoS attack!<p>It is a quicksand this idea, it seems fine until you rely on it and are shaken by attacks that just make your service unavailable with very few computers and traffic. And then you are screwed because we still hardly know howto prevent DDoS except by having a huge bandwidth compared to the attackers. Unless you are a megacorp with huge datacenters everywhere it is a bad idea.<p>But well Google will never become a monopolistic company that behave assholishly, right? They would never push standards that favors them other the few remaining hosting companies on the internet. Wouldn&#x27;t they?