Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

"Yishai Beeri (yishaib)" <yishaib@cisco.com> Tue, 12 March 2019 20:27 UTC

Return-Path: <yishaib@cisco.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 200971312E3; Tue, 12 Mar 2019 13:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=iaBqIfy6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=EzF/SwbF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3O6yYmCnqTf; Tue, 12 Mar 2019 13:27:16 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899E11310F0; Tue, 12 Mar 2019 13:27:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2346; q=dns/txt; s=iport; t=1552422435; x=1553632035; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=xK7LCLdlodaY8goxymkZ6J9XWmOt2rKma5CUSbC9dcg=; b=iaBqIfy6hoav73QYHqleHr7lLYRS2wGokp4qZ57SgZvy13w7nQ4I7Bf2 fvBrEkXAc9HyX3/yYuTmhYDAnt9czVCzmMf7n70igEiqPDiapgD12tQ6W y+P63QGJqLWOdo2eu2HkqqswoMMIxwaqiRcpm1kzHuUHCpd7KblaDSTdc 4=;
IronPort-PHdr: =?us-ascii?q?9a23=3A13PnohR+xxNLMbHeQ+SgWC5cBtpsv++ubAcI9p?= =?us-ascii?q?oqja5Pea2//pPkeVbS/uhpkESXBdfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH1?= =?us-ascii?q?5g640NmhA4RsuMCEn1NvnvOj07B8RLVVVN9HCgOk8TE8H7NBXf?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BEAACWFYhc/5xdJa1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZYE9UANodAQLJwqEAINHA48/SoINmU8DVAsBARgNB4R?= =?us-ascii?q?AAheEIiI4EgEBAwEBCQEDAm0cDIVLAQEDAQEBIREMAQEsCwEPAgEIGgImAgI?= =?us-ascii?q?CJQsVEAIEAQ0FgyIBgV0DDQgBAgylTwKKFHGBL4J4AQEFgTEBg1oYggwDBYE?= =?us-ascii?q?LJIstF4FAP4E4H4JMgx4BAYFhF4JzMYImjCgqhCeTOAkCh1OLQBmTPIp6hWq?= =?us-ascii?q?KEYJYAgQCBAUCDgEBBYFeIYFWcBU7KgGCDQEBATGCCgwXg0uFFIU/coEojn8?= =?us-ascii?q?BgR4BAQ?=
X-IronPort-AV: E=Sophos;i="5.58,471,1544486400"; d="scan'208";a="534433696"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Mar 2019 20:27:14 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x2CKRE98023731 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 12 Mar 2019 20:27:14 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 12 Mar 2019 15:27:13 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 12 Mar 2019 16:27:12 -0400
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 12 Mar 2019 15:27:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xK7LCLdlodaY8goxymkZ6J9XWmOt2rKma5CUSbC9dcg=; b=EzF/SwbFNbhqxR7sC3fLqSZq3/L0sQzbeg8NjEhgZjuude6ZHyjhwWKkrl5agEmVkaSglF2/b0GzNpECODwfLzbiE3s1/0En0Bjfe34iUpi4MCY9Drz6M1BEEscSubT43okXPu2b2B4QjSEycIBBkLlbZPrvMb/9vJdHrrh1flg=
Received: from BN8PR11MB3682.namprd11.prod.outlook.com (20.178.220.33) by BN8PR11MB3748.namprd11.prod.outlook.com (20.178.221.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.19; Tue, 12 Mar 2019 20:27:11 +0000
Received: from BN8PR11MB3682.namprd11.prod.outlook.com ([fe80::19c:1732:d955:fc45]) by BN8PR11MB3682.namprd11.prod.outlook.com ([fe80::19c:1732:d955:fc45%5]) with mapi id 15.20.1709.011; Tue, 12 Mar 2019 20:27:11 +0000
From: "Yishai Beeri (yishaib)" <yishaib@cisco.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Neil Cook <neil.cook@noware.co.uk>
CC: "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Christian Huitema <huitema@huitema.net>, nalini elkins <nalini.elkins@e-dco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
Thread-Index: AQHU2QKoZpCouOIK2EWvJIZOa3/An6YIk3EA
Date: Tue, 12 Mar 2019 20:27:11 +0000
Message-ID: <A7AB84E0-DAC1-431C-B798-6F62D3C71F54@cisco.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <20190312153636.qdsdne24vmi4xdoe@nic.fr> <50BAF399-B95D-438B-B3FC-05A0159439E2@noware.co.uk> <20190312160141.ibnjtdt5myntwiwk@nic.fr>
In-Reply-To: <20190312160141.ibnjtdt5myntwiwk@nic.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=yishaib@cisco.com;
x-originating-ip: [192.118.78.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b06729b0-1a0a-4472-9228-08d6a7291b79
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BN8PR11MB3748;
x-ms-traffictypediagnostic: BN8PR11MB3748:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtCTjhQUjExTUIzNzQ4OzIzOkRvVXBua29pWmZRSnQ3emI1Q1ZGanl0MzlH?= =?utf-8?B?R21ZT3EvRjV4Wkh4bHU3UWMrWjRLOU16Y0czZWtleHY0NDQ5TFJwTysvRWRq?= =?utf-8?B?L0VabjdKdTk5ajF4VUc5N2hHUHk0RVhCaEdyZEh6eHd4czlQUUdaOG44T1NB?= =?utf-8?B?dDcyTUI4eHpHU3hkK1lHaGhqTnFDV3VObUc4cHRha0FobUdsYXprZVJxcVBR?= =?utf-8?B?ejh0S0xheUNzdjgzSTZ6WVNCMCs5Y3E4aklsRGJDakorTU1rVjFrdDc1d1lN?= =?utf-8?B?SHFaUSt4VUZHZHd5ckp0bExnV2Q0UmRyY2VpVGRUckkyMDZBN3BpMGc4UE5P?= =?utf-8?B?Q0pwMWZsZ29rcnUzeGMyalorK1hJVm1ISVVmVFpxWStWMnFMdHVXUEJ4OTg0?= =?utf-8?B?ZTdzL202dXMxWCtEaGcrcjJhUW9VUk9WdnpEQU0reWNIM1FIaVFjVk1GL2Iv?= =?utf-8?B?Tm4xWEwzQnNxWlhha0M3NWxSOGF6alB6dWFxR0RnaTBYd093MWdGUnpJU2Zq?= =?utf-8?B?OEhuaXFwMVZ4Vm9nNGk3OGp5L1NoWXVLTXl5bEVLVHZtVjk1dGhoK3ZMZFNt?= =?utf-8?B?LytIZDNLTzJKWitIWXlhMjA1MUZ0aVRrTmkyY3FlYUJEd0ZaSis3MUJMamxL?= =?utf-8?B?RDhLa29LYi9WN1BIQWg3UWdvV2VyeFRERERhTy9HRzViZlo3ZmNWRzMzWVhC?= =?utf-8?B?WG40S2ZjNktxL3BWZStDMlRpOFBoeElmTWdjY2E5cG9VVG81bUUwa20zRm1Z?= =?utf-8?B?ZG5zZDBPRUsxQVk5Ulc2eERsaTZPVlZueG9qUkdZNWwyVk1zQ25HZmhqMHho?= =?utf-8?B?ekp4RTZFZWlsdU9oWnFIS1c0SWdwZmh3dzBZNWZFdmJUR1dOMk1vZDl5Vmwy?= =?utf-8?B?OGoyTnZlYlhtV05XMG1qanEyd0cvdVZCRGtEWDI4UlRYb2lJWmRCYkpZWkY3?= =?utf-8?B?S3NjOWxGQnlwTzlidk5WMTNLQjFJR1dvazRTQ0tGdWdOUnczQ09xOUg5TDRK?= =?utf-8?B?RjFkdHh4ZDMwSzN1SjNKUk9GNGc5dEF4aTRMYlNPdkduTDBGRC8vREt0ajEv?= =?utf-8?B?N0lFVlVuSDR4UlBoNHdOUVo5NmNDaUJ5S2RtdGtHaEgrUFdWa3l3QUJYRUFW?= =?utf-8?B?SEI1RjJmcHhNVW1TdTduRkhuS1g4VUtHSGVKL0VhdCtCVVFnV2gzWWVFaTEv?= =?utf-8?B?STkwZU5aM1N0VFJkdWhqdjk3dzg3V2lHWStSLzBLSDFNbVRwNi9aU0JsTGwv?= =?utf-8?B?TE5jai9jU2hIYTNPOURxYWd4MTNiL3FmNGpCSGVTSE9DZ2Q0SHJvQkRrTWpQ?= =?utf-8?B?a0c0eVAwWFJTbHVXV1VRdWFZTlpVRWdHeVU2WW9zK21MdW55Z1gwRDhma3Fy?= =?utf-8?B?QWFjQWVIbCtTYlpkMDBmQkN1OHVzS01pZ2xzVkoxUVppWG9KdXJwQ2ZWQjh3?= =?utf-8?B?UEtCR2dlT3NkS2FEcjJrWnQrL2NDcFBWOWVYakNjSUpYbTR6bHRLYnlSTHo5?= =?utf-8?B?Q25oQUg5Qm9Ma0grZk1iNFg3dkdkR013b2UxbGliemZqbERwNFprUXdScHBH?= =?utf-8?B?SGJEbzVrK3VrcUNEd1JPV256RTR0OThTYmdhNXJDVldtVGlHcTRNMW42eWRu?= =?utf-8?B?V0U3TGRTbHlwRk8xakRtRDFDRjZML1N0NXEyeWdzczVOOGgzbW9GYTY4c1Az?= =?utf-8?B?cHZEWURIN0EyTUdVMnZGWXdiRnJCMFAyRnpHWHpSc3FzWmwvMmNuc0NqN3lR?= =?utf-8?B?TC9RbjN5ZFlWUE5TdmdkUkRTSk5yUitlSXRWUXJJdkxldDBtcng2OVBBSHll?= =?utf-8?B?NG9PeEhiVi83MXlTWjVCeXlzdUNjSVQ0eFVPUGdxWVNSenc9PQ==?=
x-microsoft-antispam-prvs: <BN8PR11MB374892F9B61D54C5C6B5D1AAA1490@BN8PR11MB3748.namprd11.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(39860400002)(376002)(366004)(396003)(199004)(189003)(446003)(478600001)(14444005)(5660300002)(305945005)(3846002)(6116002)(966005)(66574012)(7736002)(6246003)(86362001)(14454004)(256004)(68736007)(53936002)(26005)(8676002)(81156014)(6306002)(2616005)(476003)(4326008)(11346002)(486006)(81166006)(93886005)(102836004)(6506007)(6436002)(76176011)(99286004)(6486002)(25786009)(66066001)(106356001)(7416002)(71190400001)(6512007)(82746002)(83716004)(36756003)(71200400001)(229853002)(316002)(8936002)(105586002)(2906002)(33656002)(54906003)(97736004)(186003)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3748; H:BN8PR11MB3682.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: I3WzqRXVKbOEE133Jt2WXPos9Av3pTb3pczAiVWl92Ui9z3v+kTQbEdi5tkx+vN1T1FcI/xFVDe845RlZTthkdHOWJwhCIrYFIueRirVSimfjmI/XCE5hgxmQKkDvDevNSSZmU0Mkyqi5uRyAo/1UxZOBQzG/cpvtC/cuzUZeurv6D9Am1DcDztjRyEqQIH8q5lHo1SqqU743gaTobaGehYrMx78eTbRJCYIICyaLKcoK4LMhLdSRCUjC7pPU37aiiNITLr5RCveDUyQb9+5o2y6RMl0KdxOPdIkIwEX0RP3j+ZNxPnUSlsc9l4LiK+HgF1An5XvVwMGCheVugfk49cBlBHomLxKKI28wluOjl7ZeJ2Uu/D7BbGwO6fqfccHeLAMTAG2wV3IyttlcjbwPnjqynECu/pnw8B79DlI7V0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <30EF146969309C4AA3D74A31559A4009@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b06729b0-1a0a-4472-9228-08d6a7291b79
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 20:27:11.3241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3748
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3YiytaxqRDIP4hhpMYMRq-GJvq4>
Subject: Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 20:27:18 -0000

On 12/03/2019, 20:37, "Doh on behalf of Stephane Bortzmeyer" <doh-bounces@ietf.org on behalf of bortzmeyer@nic.fr> wrote:

    On Tue, Mar 12, 2019 at 04:55:11PM +0100,
     Neil Cook <neil.cook@noware.co.uk> wrote 
     a message of 22 lines which said:
    
    > Actually many enterprises (particularly banks etc.) do not allow DNS resolution directly from employee endpoints.
    
    They block UDP/53, which is not the same thing. Malware or
    non-cooperating applications can do name resolution by other means. I
    still do not understand why people have a problem with DoH whch did
    not already exist before with
    my-own-name-resolution-protocol-over-HTTPS.
    
It is common practice for Malware operators to use bona fide DNS infrastructure (including resolvers) to communicate with the malware application. One useful example are DGAs [1]. This practice is cheaper and more robust for Malware operators than setting up their own DNS resolver service, not to mention implementing a proprietary protocol. It also helps isolate the malware operator from the malware as these communications all happen through legit services (all the malware operator has to do to trigger the resident malware is to register a domain). 

DoH, and specifically the (intended) inability to distinguish DoH from other traffic, makes this practice much harder to detect and to block - which is why this a problem that did not already exist before.

[1] https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
    _______________________________________________
    Doh mailing list
    Doh@ietf.org
    https://www.ietf.org/mailman/listinfo/doh
    
Yishai