Where are you getting the assumption that CGN is widely used from? In most of Europe it most certainly is not. I can't emagine that it's significantly different in the US, and as far as I know there hasn't been a paper that covers this.
Conversation
This Tweet was deleted by the Tweet author. Learn more
NAT64 AIUI utterly breaks DNS privacy and security by requiring forged results and precluding contact with v4 hosts (like the DoH provider) via IP address.
1
This Tweet was deleted by the Tweet author. Learn more
Under NAT64 with DNS64, the resolver provider is hostile: the ISP. Hostility of the ISP is the whole problem DoH is trying to solve. DNSSEC rightly makes it impossible to get valid signatures from such forged DNS results.
1
1
I'm not sure how "Google provides DNS64" - the DNS64 results are specific to the NAT64'd network, no? And AIUI you'd have no way to reach Google's DNS on a NAT64 network.
1
This Tweet was deleted by the Tweet author. Learn more
1
1
In the strict mode where it's explicitly configured, Android's DNS-over-TLS uses a traditional DNS lookup for the DNS server name and enforces that everything else goes via DNS-over-TLS and that it has a valid certificate. I have it set to "one.one.one.one" as an example.
1
1
3
This Tweet was deleted by the Tweet author. Learn more
Yeah, and that's likely part of why they require providing a name rather than an IP address. Getting a certificate issued for a domain is also much more widely supported than an IP address, and since they require a valid certificate when explicitly configured it reduces breakage.