Re: [Add] Googles Experimental DoH Endpoint
"Robert Mortimer" <robm@scramworks.net> Fri, 17 May 2019 13:50 UTC
Return-Path: <robm@scramworks.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A587120137 for <add@ietfa.amsl.com>; Fri, 17 May 2019 06:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=scramworks.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eMIGDgxs_kf for <add@ietfa.amsl.com>; Fri, 17 May 2019 06:50:26 -0700 (PDT)
Received: from knid.scramworks.net (knid.scramworks.net [IPv6:2a01:4f8:c17:50eb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 952341200CC for <add@ietf.org>; Fri, 17 May 2019 06:50:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=scramworks.net; s=bofh; h=References:In-Reply-To:To:From:Subject:Message-ID :Date:MIME-Version:Content-Type; bh=ZolB1/gxfAt1562Q6W/vCvgai+d8XN0WOCgVNep/nGo=; b=IFvv+4uE/vd+nRJ4Dt+1jJ+R8r OPMy+hEBnh8DWzo2weX6WHD2DQMq7OGEGi6qQQwyfa34tskOXSx/EeOLgy7xSNfrg7GVylYRl6tuL NjTaehknzFRyp9Hd2/TA1Yc82jp3yfOzG0AaSxKDg0re1AAemhMZbLb/30GIOtzQSCc4=;
Received: from [90.240.166.166] (helo=[192.168.1.6]) by knid.scramworks.net with esmtpsa (TLS1.1:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.86_2) (envelope-from <robm@scramworks.net>) id 1hRdFe-0003iP-RX for add@ietf.org; Fri, 17 May 2019 14:50:23 +0100
Content-Type: multipart/alternative; boundary="----=_NextPart_15337942.773723218557"
MIME-Version: 1.0
Date: Fri, 17 May 2019 14:49:23 +0100
Message-ID: <0fa1c85a-d967-499a-87a9-d1d56675f2cd@getmailbird.com>
From: Robert Mortimer <robm@scramworks.net>
To: add@ietf.org
In-Reply-To: <3BD0C1E6-A937-4F51-AB17-8D449D6C7036@sky.uk>
References: <3BD0C1E6-A937-4F51-AB17-8D449D6C7036@sky.uk>
User-Agent: Mailbird/2.5.45.0
X-Mailbird-ID: 0fa1c85a-d967-499a-87a9-d1d56675f2cd@getmailbird.com
X-Spam-Score-SW: -1.0 (-)
X-SW-Scan: 799e08117f3b13cec5b607bfa6d663a4
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/kX4ATEoaB6kE-PJP3n2OZei-MsM>
Subject: Re: [Add] Googles Experimental DoH Endpoint
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 13:50:30 -0000
Google have said that they'll stop this behaviour and that in future DoH will only be via the 8.8.8.8 address I've not seen any announcement saying that they've actually made this restriction yet. Just that they plan to. -- Robm 873 "Ask not what I can do for the stupid, but what the stupid can do for me" - Graeme Garden On 17/05/2019 13:54:15, Winfield, Alister <alister.winfield=40sky.uk@dmarc.ietf.org> wrote: **Reposting this here seems on topic for both doh and add ** Oh by the way I noticed this and it seems counter to the claim of DoH only running on 8.8.8.8. To keep it short I’ve removed the SSL setup step from the example. $ openssl s_client -connect search.google.com:443 -servername search.google.com … --- GET /experimental?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 host: dns.google.com HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Date: Tue, 14 May 2019 13:49:53 GMT Expires: Tue, 14 May 2019 13:49:53 GMT Cache-Control: private, max-age=20595 Content-Type: application/dns-message Server: HTTP server (unknown) Content-Length: 49 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39" ??wwwexamplecom? Ps]??"^C $ Tried a few more gmail.google.com, www.youtube.com, news.google.com So I guess it’s their entire web estate As the obvious thing to test Firefox seems to have no official way to do this but I suspect it would be trivial to allow it. Plus malicious applications / malware etc don’t care about rules so expect them to be using this fact already. -- Alister Winfield. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
- [Add] Googles Experimental DoH Endpoint Winfield, Alister
- Re: [Add] Googles Experimental DoH Endpoint Robert Mortimer