Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Disable DNS over HTTPS (DoH) on command line

From: Daniel Stenberg via curl-users <curl-users_at_cool.haxx.se>
Date: Sun, 17 Nov 2019 23:19:29 +0100 (CET)

On Sun, 17 Nov 2019, dumblob via curl-users wrote:

> is there any way to enforce DoH not being used under no circumstances by the
> command line tool "curl"?

Yes: don't use the --doh-url option. Or explicitly set it to "" (nothing).

> Primary motivation could be different concerns (e.g. centralization and
> others outlined in

People already use centralized DNS server since long before DoH came. The
quad-digit servers got widely popular without it.

DoH does in no way imply that you should use a centralized server. It is a
*secure* way to resolve names. You can use your own network's secure server
for this.

If you want to avoid centralization of the Internet, do you think curl should
also refuse to connect to the top-10 domains of the world or so, as they for
sure centralize their dominance? Why is centralization only bad when doing
secure name resolves?

curl provides other means to specify DNS server too, should they also be
disabled then?

(I disagree with Bert, author of that blog post, on many aspects of his
scaremongering of DoH.)

> If there is no way to achieve this, I'll fill a feature request ("bug
> report") on https://github.com/curl/curl/issues .

Sure you can do that but I don't see much use in doing that without a stronger
use case and motivation. How would that "super-option" work? Would it be
limited to DoH only? Why is DoH bad? Isn't it isntead certain servers you
rather want to avoid? If so, why don't you just block them from your network?

Why do you deny users on your network to do secure name resolves?

> Note, this thread is not about discussing whether or not DoH is good or not,
> but just plain yeas/no debate how to completely disable DoH on command
> line).

You can disable DoH support at build-time. 

-- 
  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-17