Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

On Wed, May 03, 2017 at 07:50:00PM -0400, Daniel Kahn Gillmor wrote:

> > Sometimes the backends behind these proxies have to accept traffic directly
> > too, and they fingerprint the first few bytes to determine whether it's a
> > direct HTTP connection, or a proxied request. I haven't thought through it,
> > but it might get a little complicated doing two levels of demuxing, and it
> > might not even be possible in some cases.
> Thanks for the pointers to these protocols!  It's good to know that
> people are already doing this sort of demuxing on the fly in some cases,
> and that they haven't broken HTTP for everyone else yet :)
> One approach for the current draft would be to explicitly call these
> protocols out as things that are incompatible with he proposed form of
> demuxing.  I'd be happy to add a generic "do not mix this mechanism with
> other similar mechanisms" section.  I've just opened
> to make sure that doesn't get
> lost.

Note that in case of PROXY, you shouldn't try to discriminate it from
DNS. Read the PROXY header if source is configured to have one and then
tell apart HTTP and DNS if appropriate.

Other reverse proxying schemes that actually play with HTTP headers are
incompatible with demuxing HTTP and DNS this way, since those assume that
all traffic is HTTP.


Received on Thursday, 4 May 2017 10:16:40 UTC