Analysing the Costs of DNS, DoT and DoH for the Modern Web
Luiz Fernando Softov
fernando at softov.com.br
Tue Aug 6 04:36:21 UTC 2019
Sorry, I not mean to be bad in the words.
I thought it was some project, research or school and that he needed some
help.
Text interpretation is unique. Each interpletes as it sees fit.
In this case, I understood that he made a comparison, and then explained
the difference.
As you said, DoH and DoT are wrapped with TLS.
Then both are wrapped in TCP.
As to complement the paper, there is a simple doc about DoH at
https://developers.google.com/speed/public-dns/docs/dns-over-tls
When using a strict privacy profile, stub resolvers establish a
DNS-over-TLS connection with the following steps.
1. The stub resolver is configured with the DNS-over-TLS resolver name
dns.google.
2. The stub resolver obtains the IP address(es) for dns.google using the
local DNS resolver.
3. The stub resolver makes a TCP connection to port 853 at the one those IP
address.
4. The stub resolver initiates a TLS handshake with the Google Public DNS
resolver.
5. The Google Public DNS server returns its TLS certificate along with a
full chain of TLS certificates up to a trusted root certificate.
6. The stub resolver verifies the server's identity based on the
certificates presented.
. If the identity cannot be validated, DNS name resolution fails and the
stub resolver returns an error.
7. After the TLS connection is established, the stub resolver has a secure
communication path between to a Google Public DNS server.
8. Now the stub resolver can send DNS queries and receive responses over
the connection.
Em ter, 6 de ago de 2019 às 00:08, Joe Abley <jabley at hopcount.ca> escreveu:
> On Aug 5, 2019, at 20:44, Luiz Fernando Softov via Unbound-users <
> unbound-users at nlnetlabs.nl> wrote:
>
> Great job, great paper, there is a lot of info no one known.
>
> But, there is some mistakes, like in page 2, column 2:
> "DoH is similar to DoT, but uses HTTP as the transport protocol instead of
> TCP."
>
>
> I don't think that is necessarily the error that you think it is.
>
> The text (to my eye) does not suggest that HTTP and TCP are equivalent,
> but rather that they are both transport protocols of DNS, which I think is
> a reasonable assertion. In the derivative cases of DoH and DoT, both are
> wrapped with TLS. I do not share your interpretation that there is an
> inference that HTTP and TCP are somehow equivalent.
>
> I have not fully digested the paper and all of its observations, but that
> (above) to my mind is not a reason to stop reading.
>
>
> Joe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190806/85d9ec76/attachment.htm>
More information about the Unbound-users
mailing list