- From: Guoye Zhang <guoye_zhang@apple.com>
- Date: Mon, 05 Sep 2022 11:06:01 -0700
- To: ietf-http-wg <ietf-http-wg@w3.org>
- Cc: doh@ietf.org
Hi, Recently, we identified an issue that DNS over HTTPS (DoH) and Proxy Auto-Configuration (PAC) deadlock with each other. To briefly introduce what they are: As its name indicates, DoH is DNS queries over HTTPS; PAC is a JavaScript function where given a URL, it tells you whether we should go over a proxy or connect directly. The problem arises when both DoH and PAC are configured on the system. In order to fetch an HTTP resource, we first need to consult the PAC script. The PAC script is usually fetched from an HTTP URL and we are smart enough not to consult PAC script for itself. However, fetching the script does require DNS resolution which goes over DoH. DoH creates an HTTP connection and consults PAC and here is where it deadlocks. Another case is where PAC scripts can also manually initiate DNS resolution through JavaScript APIs like `dnsResolve()`. DoH depends on PAC and PAC depends on DoH. We have to break the chain somewhere, and the decision was to never use DoH in PAC: Fetching PAC script and JavaScript DNS APIs inside PAC always use cleartext DNS. Are there any other HTTP client implementations facing the same issue? What are your solutions? Thanks, Guoye Zhang
Received on Monday, 5 September 2022 18:06:18 UTC