curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Disable DNS over HTTPS (DoH) on command line

From: dumblob via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 20 Nov 2019 10:52:52 +0100

Hi Daniel,

thanks for your reply. My use case is pretty specific (I can't compile my
own curl version, but need to make sure no *__third-party__* DoH will be
used).

I don't care what Bert says or how he says that - it was just a list of
potential motivations why should we approach DoH with a grain of salt.

Back to the topic. My use case demands quite large forward compatibility.
My main concern is, that if at some point curl will be released and will
bundle even just one default/recommended/you_name_it DoH server, then I'm
totally screwed. If passing --doh-url "" will have precedence over any such
behavior, then it's the solution I'm looking for. If not, how do I prevent
it?

Thanks a lot for your patience

dumblob

ne 17. 11. 2019 v 23:19 odesílatel Daniel Stenberg <daniel_at_haxx.se> napsal:

> On Sun, 17 Nov 2019, dumblob via curl-users wrote:
>
> > is there any way to enforce DoH not being used under no circumstances by
> the
> > command line tool "curl"?
>
> Yes: don't use the --doh-url option. Or explicitly set it to "" (nothing).
>
> > Primary motivation could be different concerns (e.g. centralization and
> > others outlined in
>
> People already use centralized DNS server since long before DoH came. The
> quad-digit servers got widely popular without it.
>
> DoH does in no way imply that you should use a centralized server. It is a
> *secure* way to resolve names. You can use your own network's secure
> server
> for this.
>
> If you want to avoid centralization of the Internet, do you think curl
> should
> also refuse to connect to the top-10 domains of the world or so, as they
> for
> sure centralize their dominance? Why is centralization only bad when doing
> secure name resolves?
>
> curl provides other means to specify DNS server too, should they also be
> disabled then?
>
> (I disagree with Bert, author of that blog post, on many aspects of his
> scaremongering of DoH.)
>
> > If there is no way to achieve this, I'll fill a feature request ("bug
> > report") on https://github.com/curl/curl/issues .
>
> Sure you can do that but I don't see much use in doing that without a
> stronger
> use case and motivation. How would that "super-option" work? Would it be
> limited to DoH only? Why is DoH bad? Isn't it isntead certain servers you
> rather want to avoid? If so, why don't you just block them from your
> network?
>
> Why do you deny users on your network to do secure name resolves?
>
> > Note, this thread is not about discussing whether or not DoH is good or
> not,
> > but just plain yeas/no debate how to completely disable DoH on command
> > line).
>
> You can disable DoH support at build-time.
>
> --
>
> / daniel.haxx.se | Get the best commercial curl support there is - from
> me
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/
>

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-20