Hacker News new | past | comments | ask | show | jobs | submit login

Isn’t this a chicken vs egg problem?



Yes and no, I think Google’s DNS over HTTPS service is run on 8.8.8.8 the same IP for their main dns service, so you should always know where it is.

Edit: Looks like it’s changed and it’s now a url, so you’re right it is a bit chicken and egg


Apparently:

> "The DOH server is given with a host name that itself needs to be resolved. This initial resolve needs to be done by the native resolver before DOH kicks in."


You can remember a small set of resolved hosts for this purpose, not unlike remembering DNS servers or CAs to trust. A quick search online also says it's possible to issue a cert to a public IP address, so you can also do HTTPS to a numbered IP instead of a host name.


I haven't heard of any respectable CAs that would issue certs for IP addresses...


They're rare but they do exist. The CA needs to ensure you really have long term control over the address.

Most people would never need one, but a few people have a real use for them.


Just stick the address of the DNS resolver in /etc/hosts.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: