Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
net: support DNS-over-HTTPS #27552
(This is feature request for an, as of Sept 2018, experimental protocol and is meant as a placeholder. It's likely that this protocol will become unexperimental and having thoughts and work on it early would be useful)
DNS-over-HTTPS is an evolution of DNS that allows us to secure the stream of DNS requests from a system or user in the same way we secure HTTP traffic with TLS. As of Sept 2018, it's currently deployed in two of the major browsers (Mozilla, Chrome) and 2 major service owners (Cloudflare, Google) and has the backing of lot of folks in the field as what we need to fix DNS.
There are a few Go implementations already on GitHub, but those require buy-in and awareness to be used. Having it baked into the Go standard library would be an incredible boon in securing our systems and users.
I'd imagine that it would be best to first implement this outside the standard library, much like how HTTP2 was first implemented in
I also wonder if #12503 would be a requirement for this, to be able to swap between different resolvers.
I am also personally a bit confused by DNS over TLS versus DNS over HTTPS. Do we want to support both? If not, which one should we prefer and why?
DNS over TLS is a different protocol. The trick with DNS over TLS is that it requires a new port to be opened up in people's firewalls. Chrome experimented with deploying HTTP/2 and SPDY on ports other than HTTPS's 443 and found out that for a large percentage of their user base, they couldn't make connections out over those other ports. For the same reason, tunneling over 443 and reaping the benefits of solid HTTP (especially HTTP/2) clients with DNS over HTTPS has been taking the mindshare.