IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: publication of DoH Resolver policies

"Winfield, Alister" <Alister.Winfield@sky.uk> Wed, 29 May 2019 11:16 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2511201A0 for <add@ietfa.amsl.com>; Wed, 29 May 2019 04:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.021
X-Spam-Level:
X-Spam-Status: No, score=-0.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PUU82uPSIfx for <add@ietfa.amsl.com>; Wed, 29 May 2019 04:16:30 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150070.outbound.protection.outlook.com [40.107.15.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E60A1200FF for <add@ietf.org>; Wed, 29 May 2019 04:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ChEDV+P/oV4xLEqdl4jTH0wCHjdcp3bznrIMGxZRiaQ=; b=Fi36A//3Kphxmr6IFPlNrVCAdgSW6yTU9lDsUldc2/UW6wr3zSz+u7w+5vVTbqlmf2EoDNqW9c7SavuOj4ztnvg7gPSNtUS/RBsrGUsscca5a0mcs9Pw6bSmMAEU2O5Mg14xM5K6iKmeCgtVCdFOjxDsJtWuVDzW4ulngyl9Xoc=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2246.eurprd06.prod.outlook.com (10.169.211.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.18; Wed, 29 May 2019 11:16:27 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::410:431d:7a2f:a9b5]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::410:431d:7a2f:a9b5%8]) with mapi id 15.20.1922.021; Wed, 29 May 2019 11:16:27 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: tirumal reddy <kondtir@gmail.com>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] publication of DoH Resolver policies
Thread-Index: AQHVFWwndNASf9AAW0ug5KjFkEe7HKaAzM0AgAEiIgCAABblAA==
Date: Wed, 29 May 2019 11:16:27 +0000
Message-ID: <B5D02F73-C1D4-48BA-963B-F7D2BD2EAF3F@sky.uk>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com> <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com> <1DC2682D-1A1F-4B5B-BB49-B2DAAD8E7E7D@sky.uk> <CAFpG3gcdSAguw=UUjQru6mVJKsvoQu_1bY+2ha-KxFK49dyu5w@mail.gmail.com>
In-Reply-To: <CAFpG3gcdSAguw=UUjQru6mVJKsvoQu_1bY+2ha-KxFK49dyu5w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [90.216.150.239]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10618783-7431-4ff1-7a78-08d6e42717f1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR0601MB2246;
x-ms-traffictypediagnostic: DB6PR0601MB2246:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DB6PR0601MB22464EF45E358732B520C80FE31F0@DB6PR0601MB2246.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0052308DC6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(136003)(346002)(39860400002)(396003)(189003)(51914003)(199004)(6506007)(6512007)(66066001)(53546011)(6246003)(102836004)(6916009)(76176011)(33656002)(72206003)(11346002)(8676002)(446003)(81156014)(606006)(2616005)(54896002)(53936002)(8936002)(1411001)(3846002)(6116002)(2906002)(236005)(229853002)(476003)(7736002)(6306002)(86362001)(81166006)(64756008)(66476007)(66446008)(4326008)(71190400001)(71200400001)(5024004)(14444005)(256004)(486006)(26005)(5660300002)(186003)(14454004)(99286004)(58126008)(36756003)(66574012)(478600001)(66946007)(6436002)(82746002)(316002)(68736007)(966005)(83716004)(66556008)(91956017)(74482002)(25786009)(76116006)(6486002)(73956011); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2246; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Yb8mvq8qeTydBxDx6ldah8k1mxaqpJBp3K4urOqsTfQcZXKevdWYXxmoeXEfXvLrkNy3eHLO16ytYQjR2+HdPei3d12xpODV0s+HZg0gS5omuF7UDHimrnX0xP4zfXdsP+H18/ulnWyIXgctptUS0f3kON/AOuJqWp4ZmJYAIAHA4o+zD+D+j8CSwAyWWhd+E+47ocy9Yd1mT+CUcyfNE+9Rzu5QB+bujQsNPcuenu/vDaXnrUgymaKMN26hwZrADpiEgOK/pQ3baSxLlH4WpUoMlAHaqaly3wIQsAfP/wGxBmMjco8zwmHNooiKYzzYUPWJyrRlHhOd0Pk3TXErvwwTcsQwBkM1m3zNwep7ODvgPnzIlHUJ19P0HSO9v8EcKWhiw+aVmwgvSLcV7lB+pXfXyJQ0FQFez2cGxTV7Wf8=
Content-Type: multipart/alternative; boundary="_000_B5D02F73C1D448BA963BF7D2BD2EAF3Fskyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 10618783-7431-4ff1-7a78-08d6e42717f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 May 2019 11:16:27.5031 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: alister.winfield@sky.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2246
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/V_vGrQiUbOM05DEF4AM4667k0to>
Subject: Re: [Add] [EXTERNAL] Re: publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 11:16:47 -0000

Fair enough, I’m just stating that not all queries/responses are known as potentially bad (malware / phishing) until after the fact. That simple fact is the reason some DNS providers choose to hold logs.

Cheers
Alister

From: tirumal reddy <kondtir@gmail.com>
Date: Wednesday, 29 May 2019 at 11:54
To: "Winfield, Alister" <Alister.Winfield@sky.uk>
Cc: ADD Mailing list <add@ietf.org>
Subject: [EXTERNAL] Re: [Add] publication of DoH Resolver policies

On Tue, 28 May 2019 at 22:06, Winfield, Alister <Alister.Winfield=40sky.uk@dmarc.ietf.org<mailto:40sky.uk@dmarc.ietf.org>> wrote:
It would be wonderful if every malicious domain was known prior to its use, sadly except where a DGA is known that’s not the case. So it can be useful to have a little historic information to see the extent of the issue once it’s become known.

DGA is just one technique, malicious domains like C&C domains can possibly be identified by inspecting TXT records (used to send commands to the compromised host), fast flux service network etc.

Cheers,
-Tiru


It’s also true that with performance issues unless they are very obvious (eg impacting say Facebook, Google, Amazon etc), operators necessarily rely on analytics or customers to complain. Given issues can be transient or periodic only a historic record can provide insight into the root cause.

Alister

From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of "Livingood, Jason" <Jason_Livingood@comcast.com<mailto:Jason_Livingood@comcast.com>>
Date: Tuesday, 28 May 2019 at 16:43
To: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>, Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>>
Cc: ADD Mailing list <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] publication of DoH Resolver policies

First – thanks for the pointer!

Comment – things like ‘logging’ seem very binary. What about default logging = no except if FQDN = malware C&C, in which case yes (to support notifying the end user of infection)?

From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Date: Monday, May 27, 2019 at 9:12 AM
To: Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>>
Cc: ADD Mailing list <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] publication of DoH Resolver policies

On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>> wrote:
On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>> wrote:
>
> If the DOH server provided by the network offers the same level of privacy preserving data policy as the DOH server pre-configured in the browser, Why shouldn't the browser use the network provided DOH server ?

How could the browser tell that both DoH servers have the same policy?

How does the browser (or anything else for that matter) know what some arbitrary DoH server’s privacy preserving data policy is? Where will this be documented and published in a way that a web-based application or the end user can understand and then make an informed choice?

https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-dprive-bootstrap-dns-server-03%23section-10&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943132005&sdata=meQxjGhaC2hZmVFpiavQeLq7XK6o83WzHghsCIyiPSY%3D&reserved=0> defines a new privacy certificate extension that identifies the privacy preserving data policy of the DNS server, it is in a machine-parsable format.


Now rinse and repeat that for other server-side policies: data retention, GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware, etc, etc.

Oh, and if some DoH server says “I do QNAME minimisation” (say), does the browser or end user simply take that on trust or would they somehow be expected to verify that for themselves?

End user typically does not trust DOH server in a untrusted network (e.g. public WiFi network) and may only use the DOH server provided by trusted network (e.g. Enterprise, Secure home networks), similar to the way users disable VPN connection in specific networks and enable VPN connection by
default in other networks for privacy. In addition, the privacy extension includes a URL that points to the security assessment report of the DNS server by a third party auditor.

Cheers,
-Tiru
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943142013&sdata=qU0MLdTjX%2FmsjLEqcy8OCYsKXJRlGQLxA7e7%2B6eno1o%3D&reserved=0>
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you
--------------------------------------------------------------------

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email