This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of
computers,
computing, and
information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the
Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
I propose merging the
DNS over TLS article into
DNS over HTTPS article along with a subsequent renaming to Encrypted DNS (or similar). The similarity between the two means that almost all that can be written for one can also be written for the other. Merging would avoid unnecessary duplication of content.
Jdee4 (
talk)
12:37, 21 July 2020 (UTC)reply
Oppose Even though DoT and DoH have similar goal (to wrap DNS message semantics into an encrypted connection), they are very different internally. Also, support for either protocol depends on the software (OS-wide, in-browser, and even standalone libraries). I believe Wikipedia should have an overview article that describes encrypted DNS, but that article should mention DoT, DoH,
DNSCurve and
DNSCrypt and any other noteworthy DNS tech (I don't mention
DNSSec because it's sufficiently different). — Preceding
unsigned comment added by
Anton.bersh (
talk •
contribs)
18:01, 21 July 2020 (UTC)reply
I see the merit in keeping
DNSCurve and
DNSCrypt separate as they use completely different protocols. As it stands the
DNS over TLS article doesn't mention any of the specific technical details of the protocol. At the current state of the DNS over TLS article it seems very similar to DNS over HTTPS.
FozzieHey (
talk)
22:36, 21 July 2020 (UTC)reply
Strong Oppose: These are completely different technologies, and with DNS over HTTPS in the news a lot recently over web browsers implementing it and Apple and Microsoft both planning to implement various forms of it into their respective operating systems in the next few months, it doesn't make any sense to merge the articles when there are plenty of
reliable sources available to pass
WP:GNG for all of the relevant encryption schemes.
Nathan2055talk -
contribs21:54, 21 July 2020 (UTC)reply
Agreed, certainly not "completely different" to me. Yes the "language" within the encrypted stream is different, but the concept is the same, a DNS record is requested within an encrypted stream and one is returned. There are far more similarities than differences.
Jdee4 (
talk)
22:39, 21 July 2020 (UTC)reply
Have you looked at the RFCs? DoH deals with expressing DNS as HTTP by encoding domains with base64url and dropping that into HTTP request's path. DoT does not use any base- encoding and just upgrades the regular DNS over TCP into the DNS over TLS (since once TLS connection is established, it has the same semantics as TCP ).
Anton.bersh (
talk)
18:05, 22 July 2020 (UTC)reply
However none of that is mentioned in the current
DNS over TLS article and isn't explained in detail in the
DNS over HTTPS article either, unless there's plans on expanding this on both articles I don't see a reason to keep them separate.
FozzieHey (
talk)
18:08, 22 July 2020 (UTC)reply
I can add the following text in a section titled "Comparison with DNS over TLS":
DNS over HTTPS works like this:
1. Express DNS messages in HTTP semantics
2. Express HTTP messages in TCP semantics
3. Wrap TCP exchange in TLS
Since HTTP over TLS is called HTTPS, the resulting standard is called DNS over HTTPS
PS: Just to be clear: these protocols are different exactly because they aim to express DNS in the other two protocols (TCP and HTTP) that are completely different. It's like comparing
bicycle with a
motorcycle: they might look similar and drive similar, but the source of power makes all the difference.
My point is, both
bicycle and
motorcycle have references to each other, but they are still separate articles. Similarly, it might be worth adding a "comparison" section that tells how DoH uses concept of HTTP while DoT goes straight to TCP.
Anton.bersh (
talk)
18:44, 22 July 2020 (UTC)reply
Well if both articles are to remain, "criticisms" which can apply to both DoT and DoH should be duplicated in both articles. As such, I have copied some over.
Jdee4 (
talk)
19:13, 22 July 2020 (UTC)reply
It's more of criticism of ineffective parental control systems, than of any particular part of DNS standards. First of all, DNS systems don't get sufficient contextual info beacause the same host (youtube.com) can host both "bad" and "good" content. Secondly, traditional DNS-based parental controls effectively perform an attack against insecure legasy protocols used by all users on the network so no wonder they break when these vulnerabilities are fixed. Lastly, proper deployments of DoH/DoT allow parental controls to be configured to as the "trusted" resolvers allowing controls to work while still fixing these legacy vulnerabilities. I don't think the section should be called "criticisms" anymore, since all these concerns were worked out in the specifications now. Anyhow, this is a separate matter not related to article merger and should be discussed separately.
Anton.bersh (
talk)
16:36, 17 September 2020 (UTC)reply
For that reason the section was renamed. Whether they are "Criticisms" or "implementation considerations" is now up to the reader to decide.
Jdee4 (
talk)
17:26, 17 September 2020 (UTC)reply
Stongest Oppose - as mentioned above, they are both extremely different. the only thing in common between the two is TLS. DOH doesnt use DNS proper and actually has the DNS system/protocol rebuilt around http requests and json in TLS/443. DoH also heavily relies on the standard plaintext DNS system (standard DNS has to bootstrap DoH since it needs to resolve the resolvers it uses to resolve first... yes its weird). DoT is identical to the original DNS protocol in form, only prepending 2 bytes of length data (customary to tcp packets) inside TLS/853. — Preceding
unsigned comment added by
Stayfree76 (
talk •
contribs)
01:34, 5 September 2020 (UTC)reply
Since the original concerns were adressed and all the votes are some form of "Oppose", let's consider this discussion over. Please feel free to open a new merger proposal, if you see any other reasons to merge the articles.
Anton.bersh (
talk)
17:29, 17 September 2020 (UTC)reply
Minor changes like this are hard to find sources for, it is easily verifiable by downloading Opera. I would say this is preferable to having out of date information.
Jdee4 (
talk)
23:04, 23 August 2020 (UTC)reply
Then we get into the mess of A/B testing, settings being different per region etc. I imagine it's fine to keep it in for now if it's just been added as it's likely Opera will this in a changelog which we can then cite later.
FozzieHey (
talk)
23:05, 23 August 2020 (UTC)reply
I think the section on “Oblivious DoH” should be removed, due to its low quality and lack of notability (this is an
Internet Draft, no widespread implementation, etc.)
This section needs improvements. As for your other concerns:
lack of notability -- it's covered by multiple news articles
TechCrunch, ArsTechnica, and viarious third-party blogs.
this is an
Internet Draft -- you are right, some links should be updated to point to the latest versions
no widespread implementation -- there are multiple implementations in multiple languages. Some of these implementations are created jointly by Cloudflare, Apple, and Google. However, I don't think we should create a list of implementations because lists are not very encyclopedic.
'Analysis of DNS traffic for security purposes' and 'Disruption of content filters' is the same thing
These two sections talk about the same challenge (reliance of DNS filtering and audit tools on plaintext nature of DNS requests). I propose merging these two sections into one.
Anton.bersh (
talk)
10:58, 17 March 2021 (UTC)reply
@
Anton.bersh: I see your point that they are similar but they do speak to two different concerns and critiques of DOH. Some of the people in the security industry voice the concern that DOH does not allow security tools to work to protect the network. Some politicians and others speak about DOH bypassing content filtering software to protect users from content deemed offensive. Granted, in some organizations, the security teams might be trying to implement both kinds of security mechanisms. But I do see these as two different criticisms of the DOH protocol. How would you see a merged section addressing both these concerns? (i.e. what is the value of merging it?) -
Dyork (
talk)
01:01, 18 March 2021 (UTC)reply
@
Dyork: I see what you mean. The thing is, these considerations are not a "problem with DoH" but rather a problem of old DNS monitoring/filtering software and its deployments which are not aware of DoH. As of 2021, DNS over HTTPS client implementations (browsers Firefox and Chrome) adhere to network administrators' wishes if they configure networks or client machines properly (use canary domains or deploy enterprise policies). Perhaps we can just add this information somewhere in this section (without specific details which would turn it into a guide).
Anton.bersh (
talk)
10:54, 18 March 2021 (UTC)reply
@
Anton.bersh: I agree these are not "problems with DoH", but they are certainly "implementation considerations". I think there is value in building out this section a bit more to note some of the things that need to be considered, such as CDN localization. A group of ISPs / network operators
wrote a useful Internet draft about these concerns, although give that it is only a draft, and not a RFC, I wouldn't use it as a
WP:RS. However, it does point to some of the concerns of operators. I agree there are ways to address many of those concerns, and yes, including mention (while not becoming a guide), would be useful. -
Dyork (
talk)
13:10, 18 March 2021 (UTC)reply
This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of
computers,
computing, and
information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the
Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
I propose merging the
DNS over TLS article into
DNS over HTTPS article along with a subsequent renaming to Encrypted DNS (or similar). The similarity between the two means that almost all that can be written for one can also be written for the other. Merging would avoid unnecessary duplication of content.
Jdee4 (
talk)
12:37, 21 July 2020 (UTC)reply
Oppose Even though DoT and DoH have similar goal (to wrap DNS message semantics into an encrypted connection), they are very different internally. Also, support for either protocol depends on the software (OS-wide, in-browser, and even standalone libraries). I believe Wikipedia should have an overview article that describes encrypted DNS, but that article should mention DoT, DoH,
DNSCurve and
DNSCrypt and any other noteworthy DNS tech (I don't mention
DNSSec because it's sufficiently different). — Preceding
unsigned comment added by
Anton.bersh (
talk •
contribs)
18:01, 21 July 2020 (UTC)reply
I see the merit in keeping
DNSCurve and
DNSCrypt separate as they use completely different protocols. As it stands the
DNS over TLS article doesn't mention any of the specific technical details of the protocol. At the current state of the DNS over TLS article it seems very similar to DNS over HTTPS.
FozzieHey (
talk)
22:36, 21 July 2020 (UTC)reply
Strong Oppose: These are completely different technologies, and with DNS over HTTPS in the news a lot recently over web browsers implementing it and Apple and Microsoft both planning to implement various forms of it into their respective operating systems in the next few months, it doesn't make any sense to merge the articles when there are plenty of
reliable sources available to pass
WP:GNG for all of the relevant encryption schemes.
Nathan2055talk -
contribs21:54, 21 July 2020 (UTC)reply
Agreed, certainly not "completely different" to me. Yes the "language" within the encrypted stream is different, but the concept is the same, a DNS record is requested within an encrypted stream and one is returned. There are far more similarities than differences.
Jdee4 (
talk)
22:39, 21 July 2020 (UTC)reply
Have you looked at the RFCs? DoH deals with expressing DNS as HTTP by encoding domains with base64url and dropping that into HTTP request's path. DoT does not use any base- encoding and just upgrades the regular DNS over TCP into the DNS over TLS (since once TLS connection is established, it has the same semantics as TCP ).
Anton.bersh (
talk)
18:05, 22 July 2020 (UTC)reply
However none of that is mentioned in the current
DNS over TLS article and isn't explained in detail in the
DNS over HTTPS article either, unless there's plans on expanding this on both articles I don't see a reason to keep them separate.
FozzieHey (
talk)
18:08, 22 July 2020 (UTC)reply
I can add the following text in a section titled "Comparison with DNS over TLS":
DNS over HTTPS works like this:
1. Express DNS messages in HTTP semantics
2. Express HTTP messages in TCP semantics
3. Wrap TCP exchange in TLS
Since HTTP over TLS is called HTTPS, the resulting standard is called DNS over HTTPS
PS: Just to be clear: these protocols are different exactly because they aim to express DNS in the other two protocols (TCP and HTTP) that are completely different. It's like comparing
bicycle with a
motorcycle: they might look similar and drive similar, but the source of power makes all the difference.
My point is, both
bicycle and
motorcycle have references to each other, but they are still separate articles. Similarly, it might be worth adding a "comparison" section that tells how DoH uses concept of HTTP while DoT goes straight to TCP.
Anton.bersh (
talk)
18:44, 22 July 2020 (UTC)reply
Well if both articles are to remain, "criticisms" which can apply to both DoT and DoH should be duplicated in both articles. As such, I have copied some over.
Jdee4 (
talk)
19:13, 22 July 2020 (UTC)reply
It's more of criticism of ineffective parental control systems, than of any particular part of DNS standards. First of all, DNS systems don't get sufficient contextual info beacause the same host (youtube.com) can host both "bad" and "good" content. Secondly, traditional DNS-based parental controls effectively perform an attack against insecure legasy protocols used by all users on the network so no wonder they break when these vulnerabilities are fixed. Lastly, proper deployments of DoH/DoT allow parental controls to be configured to as the "trusted" resolvers allowing controls to work while still fixing these legacy vulnerabilities. I don't think the section should be called "criticisms" anymore, since all these concerns were worked out in the specifications now. Anyhow, this is a separate matter not related to article merger and should be discussed separately.
Anton.bersh (
talk)
16:36, 17 September 2020 (UTC)reply
For that reason the section was renamed. Whether they are "Criticisms" or "implementation considerations" is now up to the reader to decide.
Jdee4 (
talk)
17:26, 17 September 2020 (UTC)reply
Stongest Oppose - as mentioned above, they are both extremely different. the only thing in common between the two is TLS. DOH doesnt use DNS proper and actually has the DNS system/protocol rebuilt around http requests and json in TLS/443. DoH also heavily relies on the standard plaintext DNS system (standard DNS has to bootstrap DoH since it needs to resolve the resolvers it uses to resolve first... yes its weird). DoT is identical to the original DNS protocol in form, only prepending 2 bytes of length data (customary to tcp packets) inside TLS/853. — Preceding
unsigned comment added by
Stayfree76 (
talk •
contribs)
01:34, 5 September 2020 (UTC)reply
Since the original concerns were adressed and all the votes are some form of "Oppose", let's consider this discussion over. Please feel free to open a new merger proposal, if you see any other reasons to merge the articles.
Anton.bersh (
talk)
17:29, 17 September 2020 (UTC)reply
Minor changes like this are hard to find sources for, it is easily verifiable by downloading Opera. I would say this is preferable to having out of date information.
Jdee4 (
talk)
23:04, 23 August 2020 (UTC)reply
Then we get into the mess of A/B testing, settings being different per region etc. I imagine it's fine to keep it in for now if it's just been added as it's likely Opera will this in a changelog which we can then cite later.
FozzieHey (
talk)
23:05, 23 August 2020 (UTC)reply
I think the section on “Oblivious DoH” should be removed, due to its low quality and lack of notability (this is an
Internet Draft, no widespread implementation, etc.)
This section needs improvements. As for your other concerns:
lack of notability -- it's covered by multiple news articles
TechCrunch, ArsTechnica, and viarious third-party blogs.
this is an
Internet Draft -- you are right, some links should be updated to point to the latest versions
no widespread implementation -- there are multiple implementations in multiple languages. Some of these implementations are created jointly by Cloudflare, Apple, and Google. However, I don't think we should create a list of implementations because lists are not very encyclopedic.
'Analysis of DNS traffic for security purposes' and 'Disruption of content filters' is the same thing
These two sections talk about the same challenge (reliance of DNS filtering and audit tools on plaintext nature of DNS requests). I propose merging these two sections into one.
Anton.bersh (
talk)
10:58, 17 March 2021 (UTC)reply
@
Anton.bersh: I see your point that they are similar but they do speak to two different concerns and critiques of DOH. Some of the people in the security industry voice the concern that DOH does not allow security tools to work to protect the network. Some politicians and others speak about DOH bypassing content filtering software to protect users from content deemed offensive. Granted, in some organizations, the security teams might be trying to implement both kinds of security mechanisms. But I do see these as two different criticisms of the DOH protocol. How would you see a merged section addressing both these concerns? (i.e. what is the value of merging it?) -
Dyork (
talk)
01:01, 18 March 2021 (UTC)reply
@
Dyork: I see what you mean. The thing is, these considerations are not a "problem with DoH" but rather a problem of old DNS monitoring/filtering software and its deployments which are not aware of DoH. As of 2021, DNS over HTTPS client implementations (browsers Firefox and Chrome) adhere to network administrators' wishes if they configure networks or client machines properly (use canary domains or deploy enterprise policies). Perhaps we can just add this information somewhere in this section (without specific details which would turn it into a guide).
Anton.bersh (
talk)
10:54, 18 March 2021 (UTC)reply
@
Anton.bersh: I agree these are not "problems with DoH", but they are certainly "implementation considerations". I think there is value in building out this section a bit more to note some of the things that need to be considered, such as CDN localization. A group of ISPs / network operators
wrote a useful Internet draft about these concerns, although give that it is only a draft, and not a RFC, I wouldn't use it as a
WP:RS. However, it does point to some of the concerns of operators. I agree there are ways to address many of those concerns, and yes, including mention (while not becoming a guide), would be useful. -
Dyork (
talk)
13:10, 18 March 2021 (UTC)reply