Re: [Doh] Googles Experimental DoH Endpoint.

Mark Nottingham <mnot@mnot.net> Thu, 16 May 2019 22:26 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3187120324 for <doh@ietfa.amsl.com>; Thu, 16 May 2019 15:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=cHDNumfZ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=fISqyGU+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iawXWSetY-rG for <doh@ietfa.amsl.com>; Thu, 16 May 2019 15:26:20 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5ADC1200C7 for <doh@ietf.org>; Thu, 16 May 2019 15:26:19 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id DF3942517B; Thu, 16 May 2019 18:26:18 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 16 May 2019 18:26:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=C v+X5pWmlEsW0sENXyLMFxUs2vW1G5vsFrQrvGf0Gu4=; b=cHDNumfZMiHu8Bt7A 0HtDQgMp7It5Kgpu2dUgSoDQ9qJ6bTBgv35UNGV+kbBAGl/mi80Hb0s925Mm44UT pICtJgSvBgwQJY3CpMj6UMqshJd4bQg4SzApvacqNDmkrKE9t1hyqVKj/BZGm1gY al4m3UrvaEyYCVquCqp/J2gyt23/+GdQ0FF833Rf9o/Zs5N3iOL027An4q5mPccb ReJvmz5Z52Z2DpmjnlYyMhSXhwQE2OO2qugc66uNHbPexgvdDk7VC2ZGQtdcnbIG +RtUg65AExy22NSkcyIoGqlwhgArUZcLiA9wcgu6p9bmKlX8xXoFpKWTkV+fgM8+ 3tuug==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Cv+X5pWmlEsW0sENXyLMFxUs2vW1G5vsFrQrvGf0G u4=; b=fISqyGU+nbUjnvOYeBdFGv5POrc8EvX76ZRauJPpUMGNXVFi1ij8gvzNO HW4CtI5Alo7erJRe1ho4G4JxQYKOdh8eGGfVQJOY35GJxI+dbBLYnal/Z8dJRaBp C5PBjBDTjldqwgsaiSd9icfiGghFKQszh6TlkVPVS9e6b5KX04bT9NS02YiAawSY 5tptWNGHOhZgH9g/NkQ81+6giCtfUJivklHHryDlCZ2qZ9YnP+yLu8oEqQJj+g1n TAkzY0pgdj1ez4fqGvH8tfHfjx3/h8UpQMt0NkfxD0R9bRs0COMgrGTRJzfRzdfS 4QSRksnDTYg+RjfJ85xK1KBUoRoDA==
X-ME-Sender: <xms:iePdXAdrHvOIa4jaFg3ZYu5TIxGpDuUSm-UQ8sWnZDcUImjN_n87fg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddruddtuddguddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinh epmhhnohhtrdhnvghtpdduhhhoshhtughnshdrghhoohhglhgvnecukfhppedvudefrddu jeeirddugeegrdduudehnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhnoh htrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:iePdXCYPuRgibq1T8bAhnhyomFi8b7eDKApbnfUJPRDUS0HucLQPUw> <xmx:iePdXP2l3lLcauZPTGTirfU1ijfQ3OU9iOj4Vryt9Nag4I_mKaoKsQ> <xmx:iePdXDtKBN3n4_4wR7GIZDDFgCn9U0VqIpgLjGH8trFuVChAUc0gHQ> <xmx:iuPdXA5Tez0EC7JZscuRHMI1zrM2gTJhF76283YvmJX0RK7vVeO_Rg>
Received: from [10.254.236.149] (unknown [213.176.144.115]) by mail.messagingengine.com (Postfix) with ESMTPA id 40EAD8005B; Thu, 16 May 2019 18:26:16 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <BF0C7A3C-17F5-4BD0-AD7C-25922B085D23@sky.uk>
Date: Thu, 16 May 2019 22:26:08 +0000
Cc: "doh@ietf.org" <doh@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F59BCD3A-6F42-4626-95A4-4ECFF1DB6864@mnot.net>
References: <BF0C7A3C-17F5-4BD0-AD7C-25922B085D23@sky.uk>
To: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/VPSFj4h3Gc6WNM96YdQq5Ejd5as>
Subject: Re: [Doh] Googles Experimental DoH Endpoint.
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 22:26:23 -0000

So, you're effectively doing domain fronting here; i.e., routing to one server name with SNI, while using a different host header.

Firefox (for example) doesn't support doing this with its DoH implementation, AFAICT; you'd have to write a custom client (or intermediary).


> On 16 May 2019, at 8:24 pm, Winfield, Alister <Alister.Winfield=40sky.uk@dmarc.ietf.org>; wrote:
> 
> $ openssl s_client -connect search.google.com:443 -servername search.google.com
> …
> ---
>  
> GET /experimental?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
> host: dns.google.com

--
Mark Nottingham   https://www.mnot.net/