Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's no info here on how you secure these servers? Couldn't someone just start using your resolver and end up costing you money?


Unfortunately, neither DoT nor DoH have any great features for client authorization. Client certificates would have been great.

On DoH you could put an API token in the URL. On DoT you could encode something similar in the `Host` header (though this isn't really secure as the SNI is retrievable so questionable how effective it really is and I'm not even sure if this is achievable on the edge runtimes).

Adding the DoH-token feature could still make sense, I guess? Unfortunately AFAIK Android supports only DoT, not DoH.

EDIT: This just in, DoH3 in Android: https://security.googleblog.com/2022/07/dns-over-http3-in-an...


https://github.com/serverless-dns/serverless-dns/issues/79


I was also wondering about the /configure endpoint. There was no mention of access control.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: