DNS 覆盖 HTTPS 的优缺点 - SegmentFault 思否

DNS Overview: DNS translates FQDNs to IP addresses. It was developed for easier memory of domain names. In 2017, an Internet draft to send DNS requests over HTTPS was filed.
- How DNS Works: Browser sends request to recursive DNS server (e.g., 8.8.8.8), which queries Internet root servers and then relevant TLD and domain name servers to get the IP address and forwards it to the browser.
- DNS Lag Behind: In 1983, DNS requests and responses were in clear text. It has never had a security upgrade and still uses no encryption after 35 years.
DNS Over HTTPS: In 2017, the first IETF Internet Draft for DNS Over HTTPS (DoH) was published. It sends DNS queries via encrypted HTTP requests, with two possible ways (GET or POST). GET requests are larger but HTTP cache-friendly, while POST requests have smaller message sizes. But clients should set the ID field to '0'.
Is Today's Web Ready for DoH: DoH is still in an experimental state. There is old DNS infrastructure that doesn't support encryption. Firefox's latest nightly build added DoH support, and Google's Android Pie will have a built-in DoH feature. There are ways to use DoH without OS or browser updates, like installing a DoH proxy on the local network.
Does DoH Enhance Security and Privacy: There are some problems. Due to how DNS works, it's almost impossible to have an end-to-end encrypted connection. DNS Query Name Minimization can reduce the amount of data given away. There are also trust issues. Mozilla's TRR uses Cloudflare's 1.1.1.1 server, which may raise concerns for some users. Tech companies can make mistakes and there might be outages. Also, DNS over HTTPS servers may have CORS issues that can lead to security problems.
How to Disable TRR/DoH: In Firefox, open about:config and set network.trr.mode to 5 to disable DoH. In Android Pie, there is a setting in Network and Internet Settings menu called Private DNS with a button to turn it off.
Conclusion: DoH may not be widespread but is a necessary addition to DNS if implemented correctly. It depends on personal use and trust. One can set up their own DoH resolver but be aware of vulnerabilities.