Talk:DNS over HTTPS

Latest comment: 11 months ago by Zxb in topic Recursive DNS resolvers

Merger proposal: DNS over TLS to be merged into DNS over HTTPS

edit

I propose merging the DNS over TLS article into DNS over HTTPS article along with a subsequent renaming to Encrypted DNS (or similar). The similarity between the two means that almost all that can be written for one can also be written for the other. Merging would avoid unnecessary duplication of content. Jdee4 (talk) 12:37, 21 July 2020 (UTC)Reply

  • Oppose Even though DoT and DoH have similar goal (to wrap DNS message semantics into an encrypted connection), they are very different internally. Also, support for either protocol depends on the software (OS-wide, in-browser, and even standalone libraries). I believe Wikipedia should have an overview article that describes encrypted DNS, but that article should mention DoT, DoH, DNSCurve and DNSCrypt and any other noteworthy DNS tech (I don't mention DNSSec because it's sufficiently different). — Preceding unsigned comment added by Anton.bersh (talkcontribs) 18:01, 21 July 2020 (UTC)Reply
I see the merit in keeping DNSCurve and DNSCrypt separate as they use completely different protocols. As it stands the DNS over TLS article doesn't mention any of the specific technical details of the protocol. At the current state of the DNS over TLS article it seems very similar to DNS over HTTPS. FozzieHey (talk) 22:36, 21 July 2020 (UTC)Reply
  • Strong Oppose: These are completely different technologies, and with DNS over HTTPS in the news a lot recently over web browsers implementing it and Apple and Microsoft both planning to implement various forms of it into their respective operating systems in the next few months, it doesn't make any sense to merge the articles when there are plenty of reliable sources available to pass WP:GNG for all of the relevant encryption schemes. Nathan2055talk - contribs 21:54, 21 July 2020 (UTC)Reply
How are they "completely different" except from the different ports. DNS over HTTPS uses HTTP/2 which in turn uses TLS. FozzieHey (talk) 22:30, 21 July 2020 (UTC)Reply
Agreed, certainly not "completely different" to me. Yes the "language" within the encrypted stream is different, but the concept is the same, a DNS record is requested within an encrypted stream and one is returned. There are far more similarities than differences. Jdee4 (talk) 22:39, 21 July 2020 (UTC)Reply
Have you looked at the RFCs? DoH deals with expressing DNS as HTTP by encoding domains with base64url and dropping that into HTTP request's path. DoT does not use any base- encoding and just upgrades the regular DNS over TCP into the DNS over TLS (since once TLS connection is established, it has the same semantics as TCP ). Anton.bersh (talk) 18:05, 22 July 2020 (UTC)Reply
However none of that is mentioned in the current DNS over TLS article and isn't explained in detail in the DNS over HTTPS article either, unless there's plans on expanding this on both articles I don't see a reason to keep them separate. FozzieHey (talk) 18:08, 22 July 2020 (UTC)Reply
I can add the following text in a section titled "Comparison with DNS over TLS":
DNS over HTTPS works like this:
1. Express DNS messages in HTTP semantics
2. Express HTTP messages in TCP semantics
3. Wrap TCP exchange in TLS
Since HTTP over TLS is called HTTPS, the resulting standard is called DNS over HTTPS
DNS over TLS works like this:
1. Express DNS messages in TCP semantics
2. Wrap exchange in TLS
Anton.bersh (talk) 18:24, 22 July 2020 (UTC)Reply
PS: Just to be clear: these protocols are different exactly because they aim to express DNS in the other two protocols (TCP and HTTP) that are completely different. It's like comparing bicycle with a motorcycle: they might look similar and drive similar, but the source of power makes all the difference.
Anton.bersh (talk) 18:28, 22 July 2020 (UTC)Reply
Bicycle with a motorcycle analogy? More like comparing one brand of bicycle with another. Jdee4 (talk) 18:36, 22 July 2020 (UTC)Reply
My point is, both bicycle and motorcycle have references to each other, but they are still separate articles. Similarly, it might be worth adding a "comparison" section that tells how DoH uses concept of HTTP while DoT goes straight to TCP.Anton.bersh (talk) 18:44, 22 July 2020 (UTC)Reply
Well if both articles are to remain, "criticisms" which can apply to both DoT and DoH should be duplicated in both articles. As such, I have copied some over. Jdee4 (talk) 19:13, 22 July 2020 (UTC)Reply
It's more of criticism of ineffective parental control systems, than of any particular part of DNS standards. First of all, DNS systems don't get sufficient contextual info beacause the same host (youtube.com) can host both "bad" and "good" content. Secondly, traditional DNS-based parental controls effectively perform an attack against insecure legasy protocols used by all users on the network so no wonder they break when these vulnerabilities are fixed. Lastly, proper deployments of DoH/DoT allow parental controls to be configured to as the "trusted" resolvers allowing controls to work while still fixing these legacy vulnerabilities. I don't think the section should be called "criticisms" anymore, since all these concerns were worked out in the specifications now. Anyhow, this is a separate matter not related to article merger and should be discussed separately. Anton.bersh (talk) 16:36, 17 September 2020 (UTC)Reply
For that reason the section was renamed. Whether they are "Criticisms" or "implementation considerations" is now up to the reader to decide. Jdee4 (talk) 17:26, 17 September 2020 (UTC)Reply
  • Stongest Oppose - as mentioned above, they are both extremely different. the only thing in common between the two is TLS. DOH doesnt use DNS proper and actually has the DNS system/protocol rebuilt around http requests and json in TLS/443. DoH also heavily relies on the standard plaintext DNS system (standard DNS has to bootstrap DoH since it needs to resolve the resolvers it uses to resolve first... yes its weird). DoT is identical to the original DNS protocol in form, only prepending 2 bytes of length data (customary to tcp packets) inside TLS/853. — Preceding unsigned comment added by Stayfree76 (talkcontribs) 01:34, 5 September 2020 (UTC)Reply

Since the original concerns were adressed and all the votes are some form of "Oppose", let's consider this discussion over. Please feel free to open a new merger proposal, if you see any other reasons to merge the articles. Anton.bersh (talk) 17:29, 17 September 2020 (UTC)Reply

DoH in Opera

edit

Screen capture showing DoH in browser settings in latest revision: https://imgur.com/rvB5FHV Jdee4 (talk) 23:00, 23 August 2020 (UTC)Reply

Okay but this is technically original research, due to it being a significant change I imagine Opera will include it in some sort of changelog which we can then cite. FozzieHey (talk) 23:01, 23 August 2020 (UTC)Reply
Minor changes like this are hard to find sources for, it is easily verifiable by downloading Opera. I would say this is preferable to having out of date information. Jdee4 (talk) 23:04, 23 August 2020 (UTC)Reply
Then we get into the mess of A/B testing, settings being different per region etc. I imagine it's fine to keep it in for now if it's just been added as it's likely Opera will this in a changelog which we can then cite later. FozzieHey (talk) 23:05, 23 August 2020 (UTC)Reply
Ok. Out of interest are you not seeing this in advanced options on Opera 70.0.3728.119 ? Jdee4 (talk) 23:09, 23 August 2020 (UTC)Reply
Citation added. Seems quite old but wording seems correct. Jdee4 (talk) 23:20, 23 August 2020 (UTC)Reply

Is ODoH sufficiently notable to mention?

edit

I think the section on “Oblivious DoH” should be removed, due to its low quality and lack of notability (this is an Internet Draft, no widespread implementation, etc.)

Nicoonoclaste (talk) 22:13, 13 March 2021 (UTC)Reply

It seems notable at least, there has been widespread coverage of it across many websites. Jdee4 (talk) 15:22, 14 March 2021 (UTC)Reply
This section needs improvements. As for your other concerns:
lack of notability -- it's covered by multiple news articles TechCrunch, ArsTechnica, and viarious third-party blogs.
this is an Internet Draft -- you are right, some links should be updated to point to the latest versions
no widespread implementation -- there are multiple implementations in multiple languages. Some of these implementations are created jointly by Cloudflare, Apple, and Google. However, I don't think we should create a list of implementations because lists are not very encyclopedic.
Anton.bersh (talk) 10:40, 17 March 2021 (UTC)Reply

'Analysis of DNS traffic for security purposes' and 'Disruption of content filters' is the same thing

edit

These two sections talk about the same challenge (reliance of DNS filtering and audit tools on plaintext nature of DNS requests). I propose merging these two sections into one.Anton.bersh (talk) 10:58, 17 March 2021 (UTC)Reply

  • @Anton.bersh: I see your point that they are similar but they do speak to two different concerns and critiques of DOH. Some of the people in the security industry voice the concern that DOH does not allow security tools to work to protect the network. Some politicians and others speak about DOH bypassing content filtering software to protect users from content deemed offensive. Granted, in some organizations, the security teams might be trying to implement both kinds of security mechanisms. But I do see these as two different criticisms of the DOH protocol. How would you see a merged section addressing both these concerns? (i.e. what is the value of merging it?) - Dyork (talk) 01:01, 18 March 2021 (UTC)Reply
@Dyork: I see what you mean. The thing is, these considerations are not a "problem with DoH" but rather a problem of old DNS monitoring/filtering software and its deployments which are not aware of DoH. As of 2021, DNS over HTTPS client implementations (browsers Firefox and Chrome) adhere to network administrators' wishes if they configure networks or client machines properly (use canary domains or deploy enterprise policies). Perhaps we can just add this information somewhere in this section (without specific details which would turn it into a guide). Anton.bersh (talk) 10:54, 18 March 2021 (UTC)Reply
  • @Anton.bersh: I agree these are not "problems with DoH", but they are certainly "implementation considerations". I think there is value in building out this section a bit more to note some of the things that need to be considered, such as CDN localization. A group of ISPs / network operators wrote a useful Internet draft about these concerns, although give that it is only a draft, and not a RFC, I wouldn't use it as a WP:RS. However, it does point to some of the concerns of operators. I agree there are ways to address many of those concerns, and yes, including mention (while not becoming a guide), would be useful. - Dyork (talk) 13:10, 18 March 2021 (UTC)Reply

Recursive DNS resolvers

edit

At the very least, to prevent article bloat, the Recursive DNS resolvers section should be limited to free and open-source software. Consider adding future entries to the DoH column at Comparison_of_DNS_server_software#Feature_matrix. Jdee4 (talk) 13:11, 15 November 2021 (UTC)Reply

More importantly, it should be limited to actual software! I removed the NextDNS reference today, since it's a service, not a software. There is the Public_DNS_servers section for that. Zxb (talk) 21:31, 28 January 2024 (UTC)Reply