yes - as section 10 says "
Running DNS over HTTPS relies on the security of the underlying HTTP transport
"
On Sat, Aug 11, 2018 at 7:37 PM, Fernando Gont <fgont@xxxxxxxxxxxxxxx> wrote:
On 08/11/2018 05:40 PM, John R Levine wrote:
> On Sat, 11 Aug 2018, Benjamin Kaduk wrote:
>>> Is there a reason that the security threats of DOH over TCP would be
>>> any diferent from existing DNS over TCP?
>>
>> Well, HTTPS pulls in the TLS crypto and its potential increased resource
>> consumption, but in general TLS tries to avoid DoS opportunites where a
>> client can make the server do lots of work without having first provided
>> some indication that the client is "real".
>
> Well, OK. The obvious next question is whether DoH is different from
> any other https client request.
The possible difference is the impact: Traditionally, and https-based
attack could DoS a web server. With DoH, it could DoS DNS resolution.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont@xxxxxxxxxxxxxxx
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
