Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

[Stefan Eissing <stefan.eissing@greenbytes.de>]

> Am 04.05.2017 um 04:53 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
> 
> If you want to do this transparently inside of HTTP without looking different on the outside, define an HTTP/2 extension for tunneling DNS.  Unknown frame types and settings MUST be ignored -- the client can start shipping DNS queries on stream 0 speculatively and have them ignored if the server doesn't speak your extension, or wait to see if the server's SETTINGS frame indicates that it supports the extension (after 1 RTT), both without any loss of compatibility or performance (other than extra bytes).  It doesn't get you HTTP/1.x compatibility, but I'm dubious anything you do within that can be done performantly nor is it a long-term pool to hide in.

I recommend this as a h2 based solution. If a client wants to use the connection purely for DNS traffic, you just need to add the static preamble and SETTINGS bytes and prefix each data chunk (of max 16K) with a 9 byte h2 frame header. And read the same in answers from the server. Ignoring any frame type you do not know. Flow control is done entirely by TCP.

This gives you an up and down byte stream transferred as h2 extension frames. The connection handshake looks 100% identical before the strong encryption kicks in. And you could the same, maybe with some tweaked frame identifiers, on a QUIC connection in the future, I would assume.

If you want to define something that really lives besides other h2 streams on the same connection, then you need to make use of h2 flow control and other features. But as I understood, this is not a scenario you are aiming for.

Cheers,

-Stefan (h2 in Apache httpd)