On 29 Apr 2020, at 14:19, Tony Finch <[email protected]> wrote:
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:
DOH is better because it cannot be blocked without blocking all https traffic.
(FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars
religious canonical war here, but being able to guarantee access to secure DNS
is definitely better for users).
All that its need to subvert DoT is to block port 853.
If DoT takes off, I expect all US ISPs to block port 853 universally. There’s
nothing they can do about DoH.
Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies
is “discouraged” but not prevented, most obviously.
--
'You're your own worst enemy, Rincewind,' said the sword. Rincewind
looked up at the grinning men. 'Bet?' --Colour of Magic
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
