Re: [Add] [EXTERNAL] Re: publication of DoH Resolver policies

[tirumal reddy <kondtir@gmail.com>]

On Wed, 29 May 2019 at 16:46, Winfield, Alister <Alister.Winfield@sky.uk>
wrote:

> Fair enough, I’m just stating that not all queries/responses are known as
> potentially bad (malware / phishing) until after the fact. That simple fact
> is the reason some DNS providers choose to hold logs.
>

Agreed, policy analysis by Sara
https://dnsprivacy.org/wiki/display/DP/Comparison+of+policy+and+privacy+statements
shows
most DNS providers clear the transaction data and do not store client IP
address.

-Tiru


>
>
> Cheers
>
> Alister
>
>
>
> *From: *tirumal reddy <kondtir@gmail.com>
> *Date: *Wednesday, 29 May 2019 at 11:54
> *To: *"Winfield, Alister" <Alister.Winfield@sky.uk>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *[EXTERNAL] Re: [Add] publication of DoH Resolver policies
>
>
>
> On Tue, 28 May 2019 at 22:06, Winfield, Alister <Alister.Winfield=
> 40sky.uk@dmarc.ietf.org> wrote:
>
> It would be wonderful if every malicious domain was known prior to its
> use, sadly except where a DGA is known that’s not the case. So it can be
> useful to have a little historic information to see the extent of the issue
> once it’s become known.
>
>
>
> DGA is just one technique, malicious domains like C&C domains can possibly
> be identified by inspecting TXT records (used to send commands to the
> compromised host), fast flux service network etc.
>
>
>
> Cheers,
>
> -Tiru
>
>
>
>
>
> It’s also true that with performance issues unless they are very obvious
> (eg impacting say Facebook, Google, Amazon etc), operators necessarily rely
> on analytics or customers to complain. Given issues can be transient or
> periodic only a historic record can provide insight into the root cause.
>
>
>
> Alister
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of "Livingood, Jason" <
> Jason_Livingood@comcast.com>
> *Date: *Tuesday, 28 May 2019 at 16:43
> *To: *tirumal reddy <kondtir@gmail.com>, Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> First – thanks for the pointer!
>
>
>
> Comment – things like ‘logging’ seem very binary. What about default
> logging = no except if FQDN = malware C&C, in which case yes (to support
> notifying the end user of infection)?
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Date: *Monday, May 27, 2019 at 9:12 AM
> *To: *Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com> wrote:
>
> On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > If the DOH server provided by the network offers the same level of
> privacy preserving data policy as the DOH server pre-configured in the
> browser, Why shouldn't the browser use the network provided DOH server ?
>
> How could the browser tell that both DoH servers have the same policy?
>
>
> How does the browser (or anything else for that matter) know what some
> arbitrary DoH server’s privacy preserving data policy is? Where will this
> be documented and published in a way that a web-based application or the
> end user can understand and then make an informed choice?
>
>
>
>
> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-dprive-bootstrap-dns-server-03%23section-10&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943132005&sdata=meQxjGhaC2hZmVFpiavQeLq7XK6o83WzHghsCIyiPSY%3D&reserved=0>
> defines a new privacy certificate extension that identifies the privacy
> preserving data policy of the DNS server, it is in a machine-parsable
> format.
>
>
>
>
> Now rinse and repeat that for other server-side policies: data retention,
> GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS
> behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware,
> etc, etc.
>
> Oh, and if some DoH server says “I do QNAME minimisation” (say), does the
> browser or end user simply take that on trust or would they somehow be
> expected to verify that for themselves?
>
>
>
> End user typically does not trust DOH server in a untrusted network (e.g.
> public WiFi network) and may only use the DOH server provided by trusted
> network (e.g. Enterprise, Secure home networks), similar to the way users
> disable VPN connection in specific networks and enable VPN connection by
>
> default in other networks for privacy. In addition, the privacy extension
> includes a URL that points to the security assessment report of the DNS
> server by a third party auditor.
>
>
>
> Cheers,
>
> -Tiru
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky Limited and Sky International AG and are used under
> licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075), Sky Subscribers Services Limited (Registration
> No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or
> indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the
> companies mentioned in this paragraph are incorporated in England and Wales
> and share the same registered office at Grant Way, Isleworth, Middlesex TW7
> 5QD
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943142013&sdata=qU0MLdTjX%2FmsjLEqcy8OCYsKXJRlGQLxA7e7%2B6eno1o%3D&reserved=0>
>
> *--------------------------------------------------------------------*
>
> *This email is from an external source. Please do not open attachments or
> click links from an unknown or suspicious origin. Phishing attempts can be
> reported by sending them to phishing@sky.uk <phishing@sky.uk> as
> attachments. Thank you*
>
> *--------------------------------------------------------------------*
>
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky Limited and Sky International AG and are used under
> licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075), Sky Subscribers Services Limited (Registration
> No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or
> indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the
> companies mentioned in this paragraph are incorporated in England and Wales
> and share the same registered office at Grant Way, Isleworth, Middlesex TW7
> 5QD
>