IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

"Dixon, Hugh" <Hugh.Dixon@sky.uk> Mon, 16 September 2019 08:22 UTC

Return-Path: <Hugh.Dixon@sky.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B239912081C for <add@ietfa.amsl.com>; Mon, 16 Sep 2019 01:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.801
X-Spam-Level:
X-Spam-Status: No, score=-1.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEZ2gSoh6BeO for <add@ietfa.amsl.com>; Mon, 16 Sep 2019 01:22:00 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60047.outbound.protection.outlook.com [40.107.6.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37A3312003F for <add@ietf.org>; Mon, 16 Sep 2019 01:22:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NJSmo5GLJLANPwr3hm0N9fjzAaTOJHGwy0uEXKFGtCDt2R4llkDTVGLckYrgfGRGfAk/anCgf81wEX8t7BwReRR7BDizxqTfd6YU0OIy8of2YX8AL4mDYbBWUTTAasftBJXLh5ZnRVXst3jfgI8ansuwL1N7Ek3Uv6PGRB6JW7M+WV7fW55uqtq4VtPvPPUv6IW0FYyTgAeRTmSy1v0Xp04Y/qOsEIzwN1lPtsWnmcSg/eSAPsnToEBzBa6ASJuG61XAlX39Q8Iz2sdf1amSmlyYvZLgbf8hjYJ6YWPYMoAjPB1HUzUpxds54L52mtoQ1h5GpsRhNPgOSRo6cg0jAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yqh4X0zXO69xv5gLvCIMTD6HsYnlkZGinibkkxAfJOI=; b=gcRTdoOKBsxekErw+6jxygSs8q98+9LwWijskCMt6lPwjxazURM1eAOqxILNNGqNkitV8yuM84Q+oUxIS+rlIQYaIq3onyIl0TEAvIWvx34yL778g4JJqoTDXLbiuWHtjm1ryL01DNAN0diKaLVlQj3a9oa63/EcWQ3YeFhJ3WvoYKgI91XE5TPMYAaHEJombIkEQUvA5U7ky1TE9s3CBBDhzex9heTyZeBvDZKjp5jpkBVfKum02HHhMWnLAE5kj8QvbMkfArMRmegc/n93FAQ0FhsYLsZY6JGT0cEvDIn1dU6W8hpdITGhd6py/zQ35KOhYK8ukU7FTITWVecCVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sky.uk; dmarc=pass action=none header.from=sky.uk; dkim=pass header.d=sky.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yqh4X0zXO69xv5gLvCIMTD6HsYnlkZGinibkkxAfJOI=; b=e/PxM0Ul2THbQP0ISMKEZoYxyj26A2hYkhoiGlsMZcygnwl0Q5DnxBxItlxza78JP1jYlkqTXP4MIaCDDY7IWXhq3BoJ0+z0mEUj5PnCrnrfMGBhSwLJ7lTNAJ7CDeo4bcYS4tZnUogaH+53MDaI/4meKxG2TpMBUribfVfQRzo=
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com (10.172.248.15) by DB6PR0602MB3303.eurprd06.prod.outlook.com (10.170.212.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Mon, 16 Sep 2019 08:21:57 +0000
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::d840:f837:af78:87fa]) by DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::d840:f837:af78:87fa%2]) with mapi id 15.20.2263.023; Mon, 16 Sep 2019 08:21:57 +0000
From: "Dixon, Hugh" <Hugh.Dixon@sky.uk>
To: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] [EXTERNAL] Re: Malware adopting DoH
Thread-Index: AQHVaxNTDkBbFuprSkS4h1EkTrRXYqcrWPkAgAExzwCAADIVgIABTVoA
Date: Mon, 16 Sep 2019 08:21:57 +0000
Message-ID: <43CA8C89-DC45-42B1-8770-C911E9011D3B@sky.uk>
References: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk> <ED3464BD-37A7-4B6F-8327-508B0CB76A3E@fugue.com> <21edfaff-8741-4f4f-a3d4-1aa88ede6935@getmailbird.com> <2970473C-046A-4FD0-AD01-66DAD3A18B4F@fugue.com> <ae179431-f215-4138-b103-d6cc173a8952@getmailbird.com> <CAChr6SzMBMPO_8wRqTH-pBHy4C4EN06Lwsu+dK26FYUYwH-FpA@mail.gmail.com>
In-Reply-To: <CAChr6SzMBMPO_8wRqTH-pBHy4C4EN06Lwsu+dK26FYUYwH-FpA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190830
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hugh.Dixon@sky.uk;
x-originating-ip: [94.193.198.219]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ea1b170d-8618-4ad2-fb7d-08d73a7ef0e6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB6PR0602MB3303;
x-ms-traffictypediagnostic: DB6PR0602MB3303:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6PR0602MB3303C00139AD7C6F3F1E17F6E38C0@DB6PR0602MB3303.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(366004)(346002)(39860400002)(396003)(199004)(189003)(6306002)(54896002)(236005)(6512007)(6916009)(6486002)(229853002)(66574012)(36756003)(33656002)(5070765005)(5660300002)(6436002)(186003)(966005)(14454004)(3846002)(476003)(6116002)(486006)(71200400001)(71190400001)(58126008)(8936002)(76176011)(53546011)(478600001)(25786009)(6506007)(102836004)(26005)(81166006)(517774005)(440504004)(2906002)(66066001)(606006)(86362001)(5024004)(14444005)(256004)(99286004)(8676002)(81156014)(66946007)(76116006)(91956017)(66446008)(66556008)(66476007)(2616005)(446003)(11346002)(6246003)(64756008)(7736002)(316002)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0602MB3303; H:DB6PR0602MB2805.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YPMfT/wrwKIXvE+Nro/nMTV5T2LCrzlU6rF+s//LGxAL+A+7XEjWjByNB+o0uxLiXPNhIrCf+WoVMubCPP07OE6CbDRLKas4hfQ7Sn1p67tYVsvhAP5ZslqzOTeNwDnnPMr4N1iOSqZfKQU1TtCW/73efLHlO1sWM66H5bwMaYUc4TZMiUDxKl6X2KyTFvu6eZH3Pwly09KMOfrJaxgePSQBo0DRL+dBLzQK3+3BkVu10qvA/n+v7X80FS8yRqFdDyMEqIh/pZYBKVoYbxyR/idsH8vcNVKGlXAV99UsxsHw/29nlMZJ/Mja6n/UOCYr1ZwKcwazAWoGEa0mjIk6LrZxVD5pVNNODl0lp9GIqBIHJoB6WXGQdRnf0VEz0aUN2eDKbk+6OiFWmN/eWxyoBZpMSZPyUJYQ+8fG/qX5hCM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_43CA8C89DC4542B18770C911E9011D3Bskyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ea1b170d-8618-4ad2-fb7d-08d73a7ef0e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2019 08:21:57.6804 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Fcrph6j6yvWlXJxgMelHNSr4Nqk5j/2pvUWdfDuOo/hpdbKgjeiVf1SYEb+O1S5lbot6Gb1scl+Sg5yTt2I8Fw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0602MB3303
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/B8W7jZEEaVFdTcmzDpJBxYcmino>
X-Mailman-Approved-At: Mon, 16 Sep 2019 08:46:31 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 08:22:03 -0000

On 16/09/2019, 07:22, "Add on behalf of Rob Sayre" <add-bounces@ietf.org<mailto:add-bounces@ietf.org> on behalf of sayrer@gmail.com<mailto:sayrer@gmail.com>> wrote:

Google and other browser makers do perform malware blocking, in a sense. They just generally don't use DNS to do it. See: https://safebrowsing.google.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsafebrowsing.google.com&data=02%7C01%7Chugh.dixon%40sky.uk%7C99ec23d0e81449d1610708d73a6e419b%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C1%7C637042117539399573&sdata=6ZfpzQ5hEBt9qw2Har2rt5apVdDqj4iYM864yUys%2B7w%3D&reserved=0>

Safebrowsing is what I’ve taken to refer to as “Type 1” Malware mitigation – infection-prevention within that specific application (the browser) and I haven’t seen any data on whether it or DNS-based infection-prevention-filtering is more effective, except of course to say that combining the two is likely to be even better than either alone.  But I suspect browser-based is “pretty good”.

Type 2 Malware mitigation is what we’re talking about in this thread – post-infection malware operation-prevention largely independent of any other specific application.

Is the “All filtering is bad, mmkay” ethos really so strong that the idea of interdicting criminal operations is not an option?

H


It seems to me that DoH provides the typical benefits of encryption over the wire. On the "informed consent" argument: there are many divergent opinions. Some people on this list seem to think DNS is special in some way, but I don't think there is an IETF document that states anything like that. As we have seen, there are many libraries, applications, and products that connect to DNS servers without informing the user.

thanks,
Rob

On Sun, Sep 15, 2019 at 7:44 AM Robert Mortimer <robm=40scramworks.net@dmarc.ietf.org<mailto:40scramworks.net@dmarc.ietf.org>> wrote:
No that's an argument for making an informed decision about what DNS service provider you use and possibly for being able to avoid limitations being imposed by the network you happen to be using at the time.

Using a VPN to access your DNS provider would achieve the same thing, as would using DoT or in many cases simply not using DHCP to decide your DNS provider.

If my an application is deciding which DNS service to use without my informed consent then even if it's using DoH it achieves none of the things you list.

Your list merely describes informed choice of DNS provider not any benefit uniquely inherent to DoH
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email