On Jan 18, 2012, at 11:14 AM, Paul Vixie wrote: > On 1/18/2012 7:06 PM, W.C.A. Wijngaards wrote: >>> this sounds very cool; is there an internet draft or tech note >>> describing the protocol so that others may also implement this? >> >> It exists to bypass deep inspection firewalls, and it works. The plain >> DNS format as you would use over TCP, but then on an SSL connection, so >> its encrypted by SSLv3. Uses port number 443 (the https port, no other >> use of that protocol, but then, because of SSL the firewall should not >> be able to tell). > > alas, DPI can tell the difference between HTTPS and TLS in a TCP/443 > stream. (the Tor guys told me this.)
However, a DNS query over 443 CAN be made to look fully like HTTPS for the purpose of traffic analysis, since the query can easily be constructed in a URL with the results returned as an XML or JSON blob. An active adversary could probe the server and check, but the point is probably to evade ignorant adversaries (misconfigurations), not active censorship. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop