DoH (DNS over HTTPS)

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
7 posts Page 1 of 1
by jgrosch » Tue Feb 25, 2020 10:43 am
Is DoH being supported by Sonic yet?
by flex-brannigan » Wed Feb 26, 2020 6:50 pm
Cloudflare's 1.1.1.1 DNS service uses DoH.
by kgc » Wed Feb 26, 2020 7:55 pm
The short answer is no and a slightly longer answer is that I would recommend that anyone using Firefox disable DoH and use Sonic's assigned servers. DNS latency and reliability is a critical part of perceived performance - it's physically impossible to get lower latency than to our name server clusters. I can also guarantee that we will never have or will inspect or profile anyone's DNS traffic beyond what is strictly necessary to ensure quality of service (DoS tracking and bulk performance analytics). Firefox's position makes sense if you believe that all ISPs are bad actors. :/

There's some additional discussion of DOH over in this thread. viewtopic.php?f=13&t=13652
Kelsey Cummings
System Architect, Sonic.net, Inc.
by ewhac » Wed Mar 04, 2020 10:37 pm
kgc wrote:
The short answer is no and a slightly longer answer is that I would recommend that anyone using Firefox disable DoH and use Sonic's assigned servers. [ ... ] Firefox's position makes sense if you believe that all ISPs are bad actors. :/

You are, of course, correct that Sonic-local DNS servers will out-perform HTTPS requests to Cloudflare or whoever. However, I wonder if you're missing the larger philisophical issue that Mozilla is attempting to address. DoH doesn't mean you distrust your ISP -- DoH means you no longer have to. (It also means you don't have to trust your firewall vendor, or whoever's running the open WAP at your coffee shop.)

Personally, I think it causes more problems than its solves. DNS is hierarchically distributed and relatively resistant to disruption, whereas DoH creates single points of failure, and high-value targets for disruption and infiltration. Also: There's no guarantee that Cloudflare will never be forced into the hands of a hedge fund who will instantly turn around and start selling query data.

DNS could definitely be more secure, but the primary problem is the actors. Frankly, it seems to me much of the issue could be solved by the FCC treating DNS lookups the same as telephone records -- private to the subscriber, availble to third parties only upon court order.

In any case, you may care to explore setting up an experimental DoH server exclusively for Sonic subscribers, partly as a goodwill gesture, and partly to see what resources that would require.
by kgc » Thu Mar 05, 2020 9:33 am
ewhac wrote:
In any case, you may care to explore setting up an experimental DoH server exclusively for Sonic subscribers, partly as a goodwill gesture, and partly to see what resources that would require.


There's no particular advantage unless we make them public - something that I'm reluctant to do. What would be great is if Firefox and others allowed some simple configuration rules - like "if OS DNS servers are set to 208.201.224.11/.33 use them, if not, use DoH Provider X".

I don't have anything against DoH except for the fact that it's going to be turned on by default and should be implemented at the OS level, not in the browser.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by admun » Sun Mar 22, 2020 11:54 am
Something come to mind.

I am on Fusion service, resold by ATT. Anyone know if ATT could have monitor my DNS traffic? I am under the expectation that it could happen since the traffic go through ATT's last mile until reach Sonic network....

I have a local DNS resolver setup and point to Sonic's DNS resolver, but no DNSSEC.

Am I just been too paranoia?
by rlc3 » Tue May 19, 2020 11:26 am
The latest version of Firefox seems to allow for the configuration of the DNS over HTTPS setting in order to use custom DNS servers:

Image

I apologize for the naive question (I only have a superficial understanding of DoH), but why do you say:
kgc wrote:
There's no particular advantage unless we make them public

Is there no advantage for Sonic customers if we could enable DoH to Sonic's own DNS?
7 posts Page 1 of 1

Who is online

In total there are 9 users online :: 1 registered, 0 hidden and 8 guests (based on users active over the past 5 minutes)
Most users ever online was 487 on Tue May 05, 2020 2:07 pm

Users browsing this forum: Google [Bot] and 8 guests