@bortzmeyer
I wonder how big is Hurricane Electric? 🤔
@m0xee They have a public resolver?
@bortzmeyer
They do! I use their DNS over HTTPS service, it's: https://ordns.he.net/dns-query
They have traditional public resolvers as well, but I don't have their IP-addresses at hand.
@jae
Good to know! Are these paths standardised? I don't really know what conventions these URLs follow: for some resolvers they look like simple host names, others are relatively complex. And I am running a proxy actually — on my router, to avoid using ISP's resolver entirely, with ":443" it definitely looks shorter, would this speed the requests up?
@bortzmeyer
most doh providers will use the `/doh-query` at the end of the url, but not always. it's not a requirement. some will allow the path and then the explicit port number as well.
i'd go ahead and try it and see if it works. it did for me and i had a doh proxy built with nginx
it was typo i meant `/dns-query` is what i've seen with some of the endpoints, for instance `https://dns.google/dns-query`
what's important is understanding what paths or ports are available and setting up your proxy to handle it. my doh proxy had 4 backends with healthchecks and the backends can range from a path like above to port numbers. as you mentioned it depends on the service.
while this is not really a security approach i recommend if one is hosting a public doh proxy to setup a scrambled path ie `/d0h-pr0xy-endp0int/dns-query` which will delegate the request to one of the backends. it's "theater" but the scanners hit my endpoint way less than having a standard/common path.
@m0xee @jae The standard mentions the path /dns-query but just as an example. You are supposed to read the documentation of the service you want to use.
See the home page of https://dns4all.eu/ for an example.
