Le mercredi 06 novembre 2019 à 07:11 +0100, Tomasz Torcz a écrit : > On Tue, Nov 05, 2019 at 10:00:17PM +0100, Nicolas Mailhot via devel > wrote: > > Le mardi 05 novembre 2019 à 19:45 +0100, Tomasz Torcz a écrit : > > > > > > I don't agree with centralisation. You should run your own DoH > > > endpoint, > > > using Google's, Cloudflare's or Quad9's servers is a shortcut. > > > > DoH has zero integration and manageability. “It’s not centralized” > > (but > > you have to set manually DoH settings in all apps *or* rely on a > > centralized Google DoH whitelist) is an utter joke. > > Setting in all apps? Excuse me? You run your stub DoH resolver > on ::1 and put ::1 in resolv.conf. That won't be honored by DoH-enabled apps that refuse to honor system resolution. That won't be honoured by all the other things on your network, unless you reparameter every and each one of them by hand (assuming they support DoH, or allow setting a DNS resolver manually in the first place) That won't be honoured by the smartphone of your visitors, by their pet smart collar, etc, unless you spend 15 minutes figuring how to reconfigure them at the start of their visit, and reconfigure them back at the end. Don't bother giving them your wifi code. So, no smart tv, no internet radio, no smart toaster, no resolved network path to your gaming console, no nothing for them. Back to the dark ages where nothing worked by default, networks were an enterprise- only thing, and ISPs felt entitled to charge multiples if you plugged more than one computer at the end of their cable. That's what your single-system “solution” actually means. Using DoH today means, in practical terms, using Google-approved resolvers, and names Google know of (bye bye private networks) because that's the only common ground DoH apps agree on, and the only practical way to synchronize DoH naming results with the rest of the network world. Distributing DoH settings has not been specified yet, and even if it were (for example DHCP side) there is zero commitment by Google or any of the other DoH supporters to honor it. So, *just* *like* *for* *http2*, Google will only specify the parts of the protocol it is interested in, go AWOL for the other parts, and block their standardisation by refusing to implement them even if someone managed the specification (Google owns enough of the Internet to veto anything it does not like). And Chrome will have an enterprise mode that allows everything it blocks for home/SOHO users, and good bye any free- software-like level field for others. That's why using DoH in any form is a terrible idea right now. It's not finished in practical terms. Its proponents have both the ability, and the record track, of not playing nice once the parts they want get adopted. And I didn't even get into technical DoT/DoH comparisons, or asked you if your DoH endpoint was packaged into Fedora, in a solid enough form to run in production without getting owned. Regards, -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
