And a final update: Your connectivity to Cloudflare will be a *SINGLE POINT OF FAILURE* for your US Firefox users. And DoH is very sensitive to packet loss! So: 6) If you host DNS, make sure your peering/connectivity to Cloudflare is top notch 7) If an access provider, same
-
Show this thread
-
Replying to @PowerDNS_Bert @paulvixie
Using DoH from Cloudflare is *less* of a single point of failure than normally for users since they can fall back to the regular resolver, while users using only the regular resolver rarely have a backup...
1 reply 0 retweets 9 likes -
Yes, like most of the the other anti-DoH argument, this SPOF argument makes zero sense. It's no more or less of a SPOF than your existing provider.
1 reply 0 retweets 10 likes -
thanks for your snap judgement. i have more resilience and fewer possible points of failure than anyone using a so-called "public resolver" with or without DoH will ever have. and: you can too!
2 replies 1 retweet 11 likes -
I believe you, I think you're very good at what you do. Your users are very lucky to have such reliable infrastructure, but a lot of people are not your users.
1 reply 0 retweets 4 likes -
it doesn't take my skill level. running a single RDNS in your home has fewer points of failure than talking to a public resolver. it's not opinion, it's graph theory.
1 reply 2 retweets 9 likes -
This is not a realistic option for most users, and even if it was, what happens when it goes down?
2 replies 0 retweets 5 likes -
it's an option for all users. see https://pi-hole.net/ and note that if you put it on a pi-zero you can afford more than one for resiliency. in any case you want your rdns to share fate and topology with your other uplink traffic.
1 reply 1 retweet 6 likes -
Is your argument that users could just setup a raspberry pi, but they won't be able to disable DoH in the browser? If you're convinced DoH removes so much value, why worry, won't users just disable it?
1 reply 0 retweets 11 likes -
that's a topic change. we were discussing single points of failure. centralized dns offers many more points of failure.
2 replies 1 retweet 4 likes
It's not a topic change, the argument is DoH is a SPOF, and is therefore bad. The response is, your ISP is also a SPOF, DoH does not change that. Your answer was that you can install a Raspberry Pi on your LAN (??), so I'm asking if that is possible, surely changing defaults is?
-
-
doh involves many points of failure (MPOF) which is worse than SPOF on the face of it. deeper than that, getting a DNS response you can't use because your transit is partly broken but your doh provider can see things from a different perspective adds no value.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.