diff --git a/draft-dkg-dprive-demux-dns-http.md b/draft-dkg-dprive-demux-dns-http.md
index 4081efabf404a68cd35bfa40a8ec96628a51ad88..aa7e7098840435c945a08c5b190ec725d8824d1f 100644
--- a/draft-dkg-dprive-demux-dns-http.md
+++ b/draft-dkg-dprive-demux-dns-http.md
@@ -165,6 +165,17 @@ other approaches is not advisable.  Doing so safely would require
 explicit and detailed review of all three (or more) protocols
 involved.
 
+Heavily-restricted network environments
+---------------------------------------
+
+Some network environments are so tightly constrained that outbound
+connections on standard TCP ports are not accessible.  In some of
+these environments, an explicit HTTP proxy is available, and clients
+must use the HTTP CONNECT pseudo-method to make https connections.
+While this multiplexing approach can be used in such a restrictive
+environment, it would be necessary to teach the DNS client how to talk
+to the HTTP proxy.  These details are out of scope for this document.
+
 Why not ALPN?
 -------------