[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Check that DoH is used



Jonathan Lester wrote:
I suppose, I was looking for something like a text record or domain I can look up that will only resolve when using DoH, just to confirm DoH is working.


It's only possible for a resolver to check the last in the chain of DNS forwarders to see if DoH transport is being used, so the reliability of such a check (like https://1.1.1.1/help) is limited and only the external IP address (which is not reported in the 1.1.1.1/help result) can be reported with any certainty (and with NAT, even an external IP address isn't enough to truly identify the client). If the DoH (or DNS over TLS) client uses a client certificate, showing that would be a more meaningful check, but it would be hard for DoH services where the TLS termination is handled separately from the DNS resolution to see the client certificate.

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/0a17314e-9e17-42d5-b91a-a234d86abb11%40googlegroups.com.