IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Livingood, Jason" <Jason_Livingood@comcast.com> Fri, 29 November 2019 13:46 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACA4C120800 for <dns-privacy@ietfa.amsl.com>; Fri, 29 Nov 2019 05:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=G5LddO+J; dkim=pass (2048-bit key) header.d=comcast.com header.b=ZNsiOoXz; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=WyIuDPBI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSHVHpaKfp0t for <dns-privacy@ietfa.amsl.com>; Fri, 29 Nov 2019 05:46:46 -0800 (PST)
Received: from mx0b-00143702.pphosted.com (mx0b-00143702.pphosted.com [148.163.141.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7871200E9 for <dns-privacy@ietf.org>; Fri, 29 Nov 2019 05:46:45 -0800 (PST)
Received: from pps.filterd (m0184890.ppops.net [127.0.0.1]) by mx0b-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xATDhQYD030529 for <dns-privacy@ietf.org>; Fri, 29 Nov 2019 08:46:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : content-type : mime-version; s=20190412; bh=ICS/RpxrwzA7kI8QlSV3HPFo/M4Hzx9P0kKUqPcxtpA=; b=G5LddO+JMGp7u4wJZ86bBlwcABZqgTB+3dZDkHU2C4OKHWRzoq2SYkAYi5sof95Osk2d /co1mI91NShclD/xzjkdFsHzDn/oUYHVyxLftoCuJFaS9PMIOK6Nlaun0jZTUBCCuyr6 QxaX8XvdjWgbrSv+Ii6QDRyQMIt/HtWFsIyzVGn1PpOr1op+kWYykjH4o4Fu7p+AqsN7 3UGa6MXS+KejyygT3mmeeleWteOmMXHmBjozFRXZhJ0ioNKUj4xQQb17BCgg71EW7SbZ dZl/06EZ9HHmoYJHMJGstiRjpdWKZcrMseLWzJULK2xkazmFmZF5OaLp/At1CfbNvIDk rw==
Received: from vaadcmhout01.cable.comcast.com (vaadcmhout01.cable.comcast.com [96.114.28.75]) by mx0b-00143702.pphosted.com with ESMTP id 2whcx9ebvg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Fri, 29 Nov 2019 08:46:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1575035202; x=2438948802; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ICS/RpxrwzA7kI8QlSV3HPFo/M4Hzx9P0kKUqPcxtpA=; b=ZNsiOoXzZ1dQ4q/RHbZbAhEs9i2g4SGvRLxtvQKgl6OK7DOY0tk2JfZQAXRyEWaz 4+pHSvscHtqfKvHXS7q8MsX9SMoLw4hRYR9Tz0M7dlG8cMMj1lJFkvi49ZRTDv0J SYC5MMN+WUFIW2mWpxSMMzkBPhrW8/xfqOuavo/7DNb1XE6a7zqWq5dXqPnoTpIN phkTKJ25FKy7moOGkNS4h5vzAlTQQC+S7AIV/I6QNlDN01k6OLhlv1KhZaT2Wn/N F5cRW+djkYNHuiATwdcH+AMTuQiSIMGA4vJpXrEmMoN537l+75pyjuQoAgF+vSqI eQQxsMLhOi6GRCBhQKKJiA==;
X-AuditID: 60721c4b-f11ff7000000279f-75-5de121427f27
Received: from PACDCEX37.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by vaadcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id D8.4C.10143.24121ED5; Fri, 29 Nov 2019 08:46:42 -0500 (EST)
Received: from PACDCEX40.cable.comcast.com (24.40.2.139) by PACDCEX37.cable.comcast.com (24.40.2.136) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 29 Nov 2019 08:46:42 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX40.cable.comcast.com (24.40.2.139) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 29 Nov 2019 08:46:42 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (104.47.44.50) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 29 Nov 2019 08:46:41 -0500
Received: from BY5PR11MB4403.namprd11.prod.outlook.com (52.132.252.96) by BY5PR11MB4370.namprd11.prod.outlook.com (52.132.254.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.17; Fri, 29 Nov 2019 13:46:40 +0000
Received: from BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a]) by BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a%7]) with mapi id 15.20.2474.023; Fri, 29 Nov 2019 13:46:40 +0000
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Kenji Baheux <kenjibaheux@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVprttSwCfLW6g30qQzya/Bluj+A==
Date: Fri, 29 Nov 2019 13:46:40 +0000
Message-ID: <CDC95D16-75D5-4391-A5FE-6C3E4D92F26B@cable.comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [71.225.154.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3feb9b0a-9ffb-4b46-2a2a-08d774d29023
x-ms-traffictypediagnostic: BY5PR11MB4370:
x-microsoft-antispam-prvs: <BY5PR11MB437035ED12124F8DB3F6783AC7460@BY5PR11MB4370.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0236114672
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(136003)(346002)(39860400002)(376002)(199004)(189003)(13464003)(66446008)(66556008)(66476007)(66946007)(91956017)(64756008)(6116002)(790700001)(3846002)(71200400001)(76116006)(14444005)(5024004)(7736002)(256004)(8936002)(71190400001)(316002)(66574012)(58126008)(99286004)(110136005)(2616005)(14454004)(5660300002)(236005)(478600001)(966005)(54896002)(6306002)(6512007)(229853002)(81156014)(6486002)(81166006)(33656002)(606006)(80792005)(66066001)(25786009)(2906002)(6436002)(102836004)(2501003)(53546011)(6506007)(26005)(186003)(6246003)(86362001)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY5PR11MB4370; H:BY5PR11MB4403.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cable.comcast.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lstw22uGtpGdQekEUYrac3hv8Fkg55YIBbMBHfEoQoZA3146wmzuOQ5WFg6k5b/itqnI/XNrlUXrLXAoI2PqpKnlHXybaDRo6E2jXWhFvv0LHbPfXh3O4ycCahfdEuHUqDy6nSns49RWL1uOFIeTsWdcgLTMSoeYvm4KLLAPpRAWamOjN3Pf94ZQUS/71F8AhFMpdii+PcA0H614j6zNhbaDm6D4pp+0iMR3mEwnrb7Ux6E0FPCwUI0RbGMUrN1Zhd9SrCTLcbf/cb1rAAjaciaolqd4R/eYv0Q7YE3ZJoGRhSgax4X7vKe8Cyk0Ao+os3odRmjmc6CVW1PqHdYdjpobGKIZN5wFcWWF7fsmbb1EPmSt7ycQTKEijKV1ergrNXrSMQHmCcbbMHQj9amSgannhSfsZiHCzuJMAr3LAR1mt7jMvyhTx4W3+Ymin09oWOwqZuz0wENkcEKnA0yjEtdMJPISk0QW8in7FYrIwwo=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cWVwzv4zioaksQdp7PyE0qVdrH0EREBd3tek3aNnqtxsZ10xQpgAQnSVHGkJg5CPm/g9hrLu50NdGg7wHL88sk49JQQ57kEYahZ187CKymsV7GDCUba/9guL/9GqXeuiwDHuCCNl04jDa+lPslk4Qcl7hX1zwYTNqgnvPDUW9sIiN5O25xMEXVx5JrmHRhn7SukgSg7GLj0aJMzpgrZgUNMQWxk4xWplWo4zWy3VDFUAbC+srpbKuumGvD3UeWTvgbWb84O2y/xIJEWj3925iBo9BNIXQnCkRf6gGS//9JJubWc0v52TaufHxBpxqPuMuPBgwo+P4ysWOf76ifDNog==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/PGALpSErA9HQSBs3rX1DI4WAyN/THPxyRuCLS8oCp8=; b=EoKTCZeqKQybMS1bEvAQbsBXMUd0WtS+QnARMusEmL2Fil5ZHksqEhoOn8TCNiWtLbZlSgpIMSZcIgBN4UxO0nL/CRpjuOJn8obdxQsJKaQgVdcFdgSwwegPExhHTMLrd9h4XReyYD4wvxN0nfoUtcrozNikYTxFxyTzVFN0FPvDt49fTSphj6BJmM/ze0+8eJJipkzC2lBtv6APOrFwNzoVle9Vo4adeMH1PsINvwaiLR6i/5oJRhgwC831ynLSfR8jugbZKyPs+/WPBcDyXH+HksphTje5dAxRReYXTtOsC0wRM+dPw1Xpf8CM4i2ROjvGBPo+AKgWkVvM/DKweA==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cable.comcast.com; dmarc=pass action=none header.from=cable.comcast.com; dkim=pass header.d=cable.comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/PGALpSErA9HQSBs3rX1DI4WAyN/THPxyRuCLS8oCp8=; b=WyIuDPBIxDBCEWX0shIafPh0gPz0KqtfqYhGgqeDxEapu5DPbnZ0SBsYNy81J1Ye6hNAxRg61XRWIUStKC94EnWPYstev7hMcZA1mvxczEQdtl3GtkTiwRfT19ZX/fSWj0I5LK3f/wWFXBUeL/Pjh1RYwQ4nflxYwJ66s9UsOGI=
x-ms-exchange-crosstenant-network-message-id: 3feb9b0a-9ffb-4b46-2a2a-08d774d29023
x-ms-exchange-crosstenant-originalarrivaltime: 29 Nov 2019 13:46:40.4423 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: 8qKIs8VqFApLhfZNz9dxpwcbdb3Gx88fiZoPc6LfJgssFIrPIh2tv9KMGKwNKak3R/YiMIRSI0+8ubeIrB/JaSRt61eiMxaSQD2Q01OPqI4=
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR11MB4370
x-originatororg: cable.comcast.com
Content-Type: multipart/alternative; boundary="_000_CDC95D1675D54391A5FE6C3E4D92F26Bcablecomcastcom_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMJsWRmVeSWpSXmKPExsWSUOxpoeuk+DDW4NsWTYsNrTtYLVpuzGB0 YPJYsKnUY8mSn0wBTFENjDYlGUWpiSUuqWmpecWpdlwKGMAmKTUtvyjVNbEopzIoNSc1Ebsy kMqU1JzMstQifazG6GM1J+EKU8b2GVMYC3adZqzour+UpYGx/RhjFyMnh4SAiUTzj6nsXYxc HEICB5kkZm1sYINwdjFKNM7bDpW5yigxb9FlRgjnKKPElv3zWEH6hQSmMEl873aBSDxilPjR uxUswSZgJnF34RVmEFtEIEri5aXlTCC2sICHxImJq5gg4p4SjecusUHYehJnVqwBq2cRUJX4 83MSmM0r4CIx6ex2sHpGATGJ76fWgNnMAuISt57MZ4J4QkBiyZ7zzBC2qMTLx//AbhAV0Je4 07WXHaI3RWJx1yKoekWJa6suQANAVuLS/G4o21eit+EUC4StJdH0fhM7hJ0tMXl5C1RcTeLG mw6oXTISsy7vY4Wwv7FK3Jup0sXIAQyILIm3V+0gwnISq3ofssCUP7ixHRy8EgL9LBK3bl1i nsBoMAvJOxB2usSDHU9ZZ4G9LyhxcuYTlllAY5kFNCXW79KHKFGUmNL9kB3C1pBonTMXyvaQ 2PF9EiOymgWMHKsYeSzN9AwNTfSMLPTMTTcxgpJukYz3DsZ1P90PMQpwMCrx8H7geBgrxJpY VlyZe4hRgoNZSYQ3ae79WCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8/9YsiBUSSE8sSc1OTS1I LYLJMnFwSjUwqu2s8a+Nuy3GurNu86rLjCfqvK8XtsYb7PfL82uXzVQ2dZ7JHdv/eH5Chu1y dRMvr63F+zn/Ft0zcO1+KV/dkn0t8jXbUYOvNY9XnO9W3GV4i/OuycbIO6zzIl39Oe1n6j88 YniLX24Hs6le2hPdNyt3bxM6v5qfS1zgu/5EG28RBr7TSv+UWIozEg21mIuKEwEMUnuatgMA AA==
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-29_04:2019-11-29,2019-11-29 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/KzoZ7c3CzVHgj8_0SsyOkzGI45E>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 13:46:49 -0000

I was not aware of the error code draft – seems like a great idea!

Jason

From: Kenji Baheux <kenjibaheux@google.com>
Date: Thursday, November 28, 2019 at 7:41 PM
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
Cc: Andrew Campling <andrew.campling@419.consulting>, "Livingood, Jason" <Jason_Livingood@cable.comcast.com>, Stephane Bortzmeyer <bortzmeyer@nic.fr>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: [EXTERNAL] Re: [dns-privacy] Trying to understand DNS resolver 'discovery'



On Thu, Nov 28, 2019 at 8:05 PM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
In addition, with the extended error codes defined in https://tools.ietf.org/html/draft-ietf-dnsop-extended-error-08<https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-dnsop-extended-error-08__;!rx_L75ITgOQ!Vv9arb-84qRPL_HZNwsjOJMHqbm5VUHarDC9sqa3OZ1zo4mKZ9DgGRQJphmIJ3F9QQaDUg$>, client would know the reason for blocking access to a domain, solves the user experience problem and, DoT/DoH ensures the error response is not spoofed.

Spot on.

A big part of the problem is that the DNS modifications for legit use cases or legal reasons are done in a non-transparent way, with potential security/privacy side-effects (e.g. application left in the dark, forced custom page), and without strong guarantees that this was indeed the original intent. That said, I understand the need for ISP or service operators to explain what happened to the user and how to act on it (e.g. request whitelisting in a parental control situation).

So, I'd love to hear feedback from ISPs in particular, on the extended DNS error draft in conjunction with DoH.
An alternative would be to use/repurpose HTTP status code such as 451 or 450 in DoH, and also define something for the explanation needs.



-Tiru

From: dns-privacy <dns-privacy-bounces@ietf.org<mailto:dns-privacy-bounces@ietf.org>> On Behalf Of Andrew Campling
Sent: Thursday, November 28, 2019 3:39 AM
To: Livingood, Jason <Jason_Livingood@comcast.com<mailto:Jason_Livingood@comcast.com>>; Stephane Bortzmeyer <bortzmeyer@nic.fr<mailto:bortzmeyer@nic.fr>>; dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
+1 to Jason's comment - suggesting all DNS modification is bad indicates a misunderstanding of some real-world use cases.

Andrew

-----Original Message-----
From: Livingood, Jason <Jason_Livingood@comcast.com<mailto:Jason_Livingood@comcast.com>>
Sent: 27 November 2019 16:06
To: Stephane Bortzmeyer <bortzmeyer@nic.fr<mailto:bortzmeyer@nic.fr>>; dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

On 11/27/19, 9:29 AM, "dns-privacy on behalf of Stephane Bortzmeyer" <dns-privacy-bounces@ietf.org on behalf of bortzmeyer@nic.fr<mailto:dns-privacy-bounces@ietf.org%20on%20behalf%20of%20bortzmeyer@nic.fr>> wrote:

>    For instance, if your access provider has a lying resolver

I just wanted to take a moment to note that choosing to use the term 'lying' when describing resolver behavior is unnecessarily negative and seems designed to be intentionally divisive. This does not IMO contribute to a productive discussion and exchange of views at the IETF.

As has been long demonstrated here and in DNSOP, not all DNS modification can be considered 'lying' - given that lying obviously implies it is a negative thing that is counter to user preferences. For example, an opt-in parental control service that modifies responses is not a negative use case from the perspective of that user/parent. Similarly, a DNS modification in an enterprise that blocks malware C2 FQDNs is also from the enterprise's perspective a good thing.

It seems a better approach is to simply use a neutral term and call this DNS modification. Whether that is good or bad will depend on the particular use case or situation or other factors.

Thanks
Jason



_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dns-privacy__;!rx_L75ITgOQ!Vv9arb-84qRPL_HZNwsjOJMHqbm5VUHarDC9sqa3OZ1zo4mKZ9DgGRQJphmIJ3GY77Abgg$>


--
Kenji BAHEUX
Product Manager - Chrome
Google Japan

v2.23.0 | Report a Bug | By Email