Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-reid-doh-operator

"Winfield, Alister" <Alister.Winfield@sky.uk> Tue, 19 March 2019 20:53 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5886513116C; Tue, 19 Mar 2019 13:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSIaFl2yboVN; Tue, 19 Mar 2019 13:53:36 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140051.outbound.protection.outlook.com [40.107.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66D3E131142; Tue, 19 Mar 2019 13:53:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s/4VUZ+bNgaYFmUg+VT8CGZeKMx9GBxdNd64ByorQrg=; b=jbzTJ2md4v2qEGH9jcNC2Q68q0nMu3Denauu8c3lBpc/U4U1O+nf3/nvak4z64RVCkWpqmdl2s2st+If0+yOq5TY/Xh/u8BB0G0w9QgiIAT7w8H60hlbso76xk7CtZLIwqIClutBbT7SPFl8yBVqhEPog6GeZ2opjbPIftzI4fM=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2421.eurprd06.prod.outlook.com (10.169.215.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Tue, 19 Mar 2019 20:53:32 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::5cb7:e589:692e:7d93]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::5cb7:e589:692e:7d93%9]) with mapi id 15.20.1709.015; Tue, 19 Mar 2019 20:53:32 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: Eliot Lear <lear@cisco.com>, Christian Huitema <huitema@huitema.net>
CC: Matthew Pounsett <matt@conundrum.com>, Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>, Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
Thread-Index: AQHU3nqOawO7W748okeo2Aa+V+qrZaYTSruAgAAj7oA=
Date: Tue, 19 Mar 2019 20:53:32 +0000
Message-ID: <80F6DCFD-EB8F-4CD7-9E7E-19ACB6CA90FB@sky.uk>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com> <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com> <0ea5c3ed-f0d9-8b95-515e-c555855a9c5c@huitema.net> <4F2265B7-BF78-498C-9372-AF8884082FCA@cisco.com>
In-Reply-To: <4F2265B7-BF78-498C-9372-AF8884082FCA@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [2a02:c7d:e20a:2d00:195a:b298:e06a:5351]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2f658fb-cdcf-4f61-8ce9-08d6acacf2bf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DB6PR0601MB2421;
x-ms-traffictypediagnostic: DB6PR0601MB2421:
x-microsoft-antispam-prvs: <DB6PR0601MB2421FCF175231B2105A72FBBE3400@DB6PR0601MB2421.eurprd06.prod.outlook.com>
x-forefront-prvs: 0981815F2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(376002)(136003)(39860400002)(346002)(199004)(189003)(106356001)(99286004)(33656002)(74482002)(105586002)(7736002)(36756003)(86362001)(97736004)(83716004)(71200400001)(71190400001)(6306002)(4326008)(6246003)(6512007)(72206003)(53936002)(54896002)(5660300002)(256004)(14444005)(5024004)(76176011)(2616005)(476003)(11346002)(486006)(446003)(82746002)(2906002)(14454004)(6436002)(110136005)(478600001)(54906003)(58126008)(6486002)(81166006)(25786009)(102836004)(81156014)(93886005)(6506007)(316002)(229853002)(8936002)(68736007)(6116002)(186003)(8676002)(46003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2421; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QyBJYfuX4XX6wGiLBXHyEI4LTqe1+towbhN/Upu4G29uM4fW5Sq2p6wAg6xNe+jeh3MUKesPi7t+GQaBeqJjtZqiTnF59OF/TqWEj1fgm0bULos6gejhrryA31drs544uVBQo6lMyOia7YIW3YwznNiY/ioTWFm+hjEXHuQuaDyl9t5czMxcnWoZ9obhNdf+uCv0tKLLlTKFv7CvLM1ng6eUYK2U3hKtCJZtLnXfsrB/IeNAey9XiUSC43RZ82cMyE1aQ/mTQdtMCOgONKDJzTUJMczTngHvijFss3l8fAt41oz+lQpzhWbjl0mwXM5zwacbx31zoE1CXTSraAuATRCRyqiG8IueDA5kWX767otEY8PtXkWPARlBTOhODl30KoBzkYltvJOPGtK7iWQBJTx4XqJf6FdcnSG8osHYjFw=
Content-Type: multipart/alternative; boundary="_000_80F6DCFDEB8F4CD79E7E19ACB6CA90FBskyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b2f658fb-cdcf-4f61-8ce9-08d6acacf2bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2019 20:53:32.5545 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2421
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-xadfUJkAyaccnGBzFPDlC_Hd-0>
Subject: Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 20:53:40 -0000

Third party DNS/DoH providers could probably block resolution of phishing names or  botnet C&C names using the same methods as enterprises do today, but the enterprise network will not be informed that one of its devices just tried to contact a botnet C&C. It would be very nice if the IETF standardized a way to do that.

I don’t see why they wouldn’t, and I could easily envision them being obliged to do so in the future.

They say to you IP a.b.c.d which sadly is the external IP on the NAT exiting the corporate network has a problem. So great one of potentially 1000’s of devices is infected but not really much better information than that. In effect exactly what most security operations teams assume is true every day of the week.

Alister Winfield
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD