On Mon, Aug 20, 2018 at 6:58 PM, Paul Vixie <p...@redbarn.org> wrote: > > > Tom Pusateri wrote: > .... >> >> One more point (from the Android crowd) was that they are going to try >> to connect to the DNS server’s IP address using port 853 using DoT at >> the same time they are trying to resolve names over port 53 with UDP. If >> they’re able to make a DoT connection, they’ll use it. This doesn’t >> provide for a way to have an ADN to verify the certificate but a PTR >> query can give you a name to do certificate validation and/or DANE >> validation. So they seemed to be making the point that no DHCP >> extensions were necessary. > > > that's a cool hack, showing once again DoT's superiority over DoH.
This has been used to detect DoH support in dnscrypt-proxy as well. One subtle issue with probing is that "it doesn't work" is not the same as "it's not supported". It can mean that port/traffic is being blocked, client is incompatible, crypto is incompatible, etc., so it's difficult to distinguish whether the service is being offered but unavailable for various reasons, and service not being offered. > -- > P Vixie > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
