IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

Ted Lemon <mellon@fugue.com> Fri, 13 September 2019 14:53 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B53120071 for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 07:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gh76TD18-FHD for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 07:53:51 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557CF120047 for <add@ietf.org>; Fri, 13 Sep 2019 07:53:51 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id b136so63185022iof.3 for <add@ietf.org>; Fri, 13 Sep 2019 07:53:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=RexfLCKxdDrm/V6mhRtuMBDNUQrX1E7Fm5SnDp7Jsto=; b=Xh1NiaNu6rRJvktTnqeDkcmJ88kNGHh4/l6+n80ukSOlJeT17T7gj9oIt+IEFc4iiy TI48whdvVL93eSlA1+Tjsr3Z9++NSIJE2HjK4pmjyAp6xoJdHJdfNHQhb2wGfwBYtIxJ KCWpQMjh3GQv1do4NV2s51U7kxAYqFFtKMgcinmlUAukq5PgI+quPr87TIE93OqDwlgi 2zsPtu/+erfaLUiEPN9Bh3RPVuEzafQUeL4ncVQ6md3JOSLpN0yxCPgUsK1/7GRhpH6A xjQjU2ixfN6NOf5VCuAX8HRf42jcemqi+8X0FLeIWC/Jc4S8nmfaIjl/bhWD0PO3+HJy 0QEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=RexfLCKxdDrm/V6mhRtuMBDNUQrX1E7Fm5SnDp7Jsto=; b=VA4TMNHBDcwGsncX6IejSAgAN7U506n97MU95qQvN7u9s4pgXaiM9tAP2FkL3i+nxx Hu3d59+x7EB+WP6v9N62xM8K5G6gwneexzDeiDxxTnwHBhvmEOjh0KjOgPfJV/mdP2tW 3slx0qG+ksQPG02hK7zG43TWnvNmeDymtcQ/7SDDKd7Nkp3S+NuSOJ+7Y0Kp80m8o0Kk IiJSyOb/arWGPdzXnYKg+oYoEUbQyuhR1nqubyYjDkwoTuO3dF3y4xTyXDOJ8ESDbRCw KBZJ5HrviVw5tYFGlYsrA4Dk+EgpuIOVpfX63tUXQwJRzCho6vYV7hnt2A5NRwyhWc5Z 07ZQ==
X-Gm-Message-State: APjAAAXuvOd3VnIac6rwdj+URPJwGOD3OD9UKtAwvr0B2YYz1UxoO+Xq k+vMhLCTBlUFKdufkO9jDGqrupUdHxw=
X-Google-Smtp-Source: APXvYqxjXVA06gDfiNgwStazL0zD8WHTUkkmqZu/eNOrGhDFnCOBgBTsFUPlbs8E+yXxX13NjzifJQ==
X-Received: by 2002:a6b:7109:: with SMTP id q9mr243923iog.229.1568386430362; Fri, 13 Sep 2019 07:53:50 -0700 (PDT)
Received: from ?IPv6:2600:380:6937:7e3:49f8:d983:b006:e11? ([2600:380:6937:7e3:49f8:d983:b006:e11]) by smtp.gmail.com with ESMTPSA id x5sm22740830ior.46.2019.09.13.07.53.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Sep 2019 07:53:49 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 13 Sep 2019 09:53:48 -0500
Message-Id: <2A997AD4-7D2B-494C-AFA6-42017A882F56@fugue.com>
References: <18DC59F2-C9D8-4515-B3CD-4D9772D4E3E6@rfc1035.com>
Cc: ADD Mailing list <add@ietf.org>
In-Reply-To: <18DC59F2-C9D8-4515-B3CD-4D9772D4E3E6@rfc1035.com>
To: Jim Reid <jim@rfc1035.com>
X-Mailer: iPhone Mail (17A836)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/pagkgoR-wkd2bMnwNTsRp9KQXU0>
X-Mailman-Approved-At: Sat, 14 Sep 2019 08:42:18 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 14:53:54 -0000

On Sep 13, 2019, at 09:20, Jim Reid <jim@rfc1035.com> wrote:
> On 12 Sep 2019, at 17:03, Ted Lemon <mellon@fugue.com> wrote:
>> 
>> It’s all very well and good to point out that it’s using DoH and that this blocks certain mitigation strategies, but eg if Google can mitigate it centrally we might be better off, not worse off, as a whole. 
> 
> Perhaps not. If there are only a couple of dominant DoH resolver operators and they can control the price and quality of that service... Or lock out the competition... Or...

Jim, this is just a non sequitur.   For the case of blocking malware, if the malware has fewer choices, it is easier, not harder, to block.

v2.23.0 | Report a Bug | By Email