IETF Logo Mail Archive

Re: [dns-privacy] [EXTERNAL] Re: Trying to understand DNS resolver 'discovery'

"Winfield, Alister" <Alister.Winfield@sky.uk> Wed, 27 November 2019 15:53 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612771209DD for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 07:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7GOoxXQp7gq for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 07:53:14 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on062b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B251208C1 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 07:53:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ReXOkwQsSaH+52i6sSAz9J/PQnM9DgaJqW2Y/li12swctUR5fBZndede345j5yvH5KXGwUgZN2AzjNWu1p0QzVpkJOin4lo0HxCo2FDxWswqWJey42TlhXs6D/sM6BEigtPCzofYQ793nr3OZkTNwdgkMrkxirZ4ELN29xPF2HlXMKd7b+TK0FsoNNJt7rfl2hm+FrKupGBzXGf8Z5UlPQq/iRagxQwX0gWhBtVrBuUHeq7Qy5qE5ZnL/a/EVa3CHpYKt0bdtuI5bx6bhGcImDBzil7zqIdMEdfU2sKFVeTRIVZw/OnzMIFBiK0APPajvKnazIC+Sm7LpjI+jejSHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QSjYyDXM+0SLyg8yXTTd9rJa8pJ5qvrWHagTkuEiI7s=; b=jOKNO2L9U+whABgM8PJYvu09//pSsmyg55j5sPfn9mEAFwANfBJbolsK4JUORMGzO+UWV7dzEjXiSFzfMEiLhRHJAyrF3ZoSK7qypB0PJspRsV6cdo8xY2os4bf3x/pJYnxoxEPamLul+qpRNdhzvWoBeEHFkYrbby2cM7SUITuIlZjZMCemYAQy3J1XdF1I0beOcgqTcqGtx413rylqkDm5aPSQdz0EcXhTQC/xzAdoDCddCTBSg5ul3+A2H0fN5VhmfJjhlSbNJrDsqsG6hUEmxIFMi10cQ+2lQdvRDVzJEe/4povWmq9o/svXbJ+DgiF5xIeJeFaBoO0c4xp9iA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sky.uk; dmarc=pass action=none header.from=sky.uk; dkim=pass header.d=sky.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QSjYyDXM+0SLyg8yXTTd9rJa8pJ5qvrWHagTkuEiI7s=; b=iZOktdYCYLDVuHWqpB7OPyv6mj0lRTDvp6EgVWcHKZk42u/YdtvjFSUXRKAlVaLNA3JZzNUXmgLtgYYZ+Aso9Waj04H6AcHuHX20Jj30DxDk68yM2Zuj6jiMygPofTVZW9cGTDcFPdr1DInqz4GCTXH9+ziRBEd4s5sJZutislE=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2709.eurprd06.prod.outlook.com (10.168.82.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.21; Wed, 27 Nov 2019 15:53:11 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8dc9:ec61:bb07:286c]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8dc9:ec61:bb07:286c%6]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 15:53:10 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpIR+gf/ruRkDDUSihadV9hua46eeyzWAgABH94CAAAT+gIAABcwAgAAOiQA=
Date: Wed, 27 Nov 2019 15:53:10 +0000
Message-ID: <E8EB536E-8C6E-46E7-B36C-7B9B5AE93981@sky.uk>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <4E2DE849-CC35-4675-9A41-CD134D65371A@noware.co.uk> <CY4PR1601MB1254D915F946F255B2B53DC8EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <008AE77C-7340-4ECA-BDDB-CDEFE1087EAF@noware.co.uk> <CY4PR1601MB1254212ECA55CBAE6405065EEA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
In-Reply-To: <CY4PR1601MB1254212ECA55CBAE6405065EEA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [90.216.150.239]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e2b92c0-de75-44e9-965e-08d77351e77f
x-ms-traffictypediagnostic: DB6PR0601MB2709:
x-microsoft-antispam-prvs: <DB6PR0601MB2709D2C857E9B2379BDC100AE3440@DB6PR0601MB2709.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(396003)(366004)(39860400002)(189003)(199004)(81166006)(7736002)(86362001)(316002)(81156014)(8936002)(229853002)(99286004)(26005)(6512007)(5640700003)(11346002)(36756003)(58126008)(66476007)(6116002)(8676002)(6246003)(2906002)(66446008)(3846002)(66556008)(6306002)(2501003)(71200400001)(446003)(2351001)(2616005)(5024004)(256004)(14444005)(64756008)(76176011)(14454004)(6436002)(102836004)(25786009)(54896002)(33656002)(76116006)(91956017)(186003)(6916009)(6486002)(66066001)(478600001)(66574012)(5660300002)(71190400001)(6506007)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2709; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9XySYZLlO7xIqB3573UryhmjBh8dXKOc0zz6jz9K6kPOebZD8FathD6gXAxdpNPXKqzgaNYYSLqE8C5gvCM3IAkw8zUZSYmBnV06j31/8g5Sju/hsRaNS/65ze/A2vkN5wAuYUa1rW34SqqhgBArDv8TLUEgzkNFDoXeTCmtP5Jl/p43fIDec1GpMxLiJg7fFgiFW5z6/rehu+DP5Ss0YMqKbRstxqSGFgRO2O6JbnVuab2uPS5hK723x/jalHoydW1RPMcOCk2cK4q0qXfpLiF9HpTx6rp8zfjBCU/jjN/YVBfBuRZ8xw/qmFdX3b1p/hpT9D5O+OSUHbxd31osqq95UeK0WMYHK0v0lgyD7qyTfab9FtunBKRgZIopOqXa3Q13wbiiOKD1w9rK84qfwzFYeYXVYilJHjZ91e9ZL7VdebrfD6cVwIophCgaSnEO
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E8EB536E8C6E46E7B36C7B9B5AE93981skyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e2b92c0-de75-44e9-965e-08d77351e77f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 15:53:10.8628 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 98T1HASwy1xIIBPxj57k17SKg5aEXoF3KY563rTWhnPNFSRxCSpNUu3WXpy0RNSgrbXjRMdiOdj8lRS1RgCQ/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2709
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/2bVGB1qGuiW9QWJY4lSppSmmuPg>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 15:53:16 -0000



The problem with DHCP is the client has no way to know whether the DoT/DoH server is indeed hosted by the local network or by an attacker. For example, consider a network using Quad9/OpenDNS to perform malware filtering but attacker spoofs the DHCP response to convey the network is using CloudFlare DNS server. Chrome would establish DoH with CloudFlare, and the attack is successful. It is also easy for the attacker to get a domain name, and get the certificate signed by the CA (domain validate certificate).


I suspect that here is a problem made worse by assuming a single all-encompassing list of ‘trusted’ services. Personally I would hope eventually to have an administrator set policy on what DoH services to trust. This could be simple like only quad9 or more complex set allowing different providers depending upon the context. In your example the application would see CloudFlare and then refuse to use it.

Alister Winfield
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email