Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Mark Andrews <marka@isc.org> Mon, 25 March 2019 07:25 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5866120368; Mon, 25 Mar 2019 00:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bCCjOnK5uev; Mon, 25 Mar 2019 00:25:41 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEFB712036D; Mon, 25 Mar 2019 00:25:41 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 64EF73AB03E; Mon, 25 Mar 2019 07:25:41 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 00F02160046; Mon, 25 Mar 2019 07:25:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C74CC16005C; Mon, 25 Mar 2019 07:25:40 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MUDO4uIrwAVU; Mon, 25 Mar 2019 07:25:40 +0000 (UTC)
Received: from surfer-172-30-2-241-hotspot.internet-for-guests.com (107.223.broadband2.iol.cz [83.208.223.107]) by zmx1.isc.org (Postfix) with ESMTPSA id 780C3160046; Mon, 25 Mar 2019 07:25:39 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <alpine.DEB.2.20.1903250802420.17012@tvnag.unkk.fr>
Date: Mon, 25 Mar 2019 18:25:36 +1100
Cc: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Patrick McManus <mcmanus@ducksong.com>, dnsop@ietf.org, doh@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <78F0DF8D-74FB-461E-87B8-02FE2582047E@isc.org>
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <128237212.13389.1553465639438@appsuite.open-xchange.com> <alpine.DEB.2.20.1903250802420.17012@tvnag.unkk.fr>
To: Daniel Stenberg <daniel@haxx.se>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6ENtOcJYL8_BIQvSLTJIc73G4D8>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 07:25:45 -0000


> On 25 Mar 2019, at 6:06 pm, Daniel Stenberg <daniel@haxx.se>; wrote:
> 
> On Sun, 24 Mar 2019, Vittorio Bertola wrote:
> 
>> In today's "plain DNS" world, I choose a DNS resolver that provides that kind of filters for me, I set it up on my router, and my router pushes it to my smart TV via DHCP. What is the "existing configuration mechanism" that allows me to set this policy in the DoH world, i.e. if the TV came equipped with applications preconfigured to use their own remote resolver via DoH?
> 
> We can easily turn this example the other way around.
> 
> With Do53 in your TV, your kids can easily fool your TV with their own DHCP responses or by intercepting and intefering with the DNS traffic while you're at work.
> 
> With DoH used in the TV, set to use a trusted server, they can’t.

Which won’t work if the network is filtering Do53 traffic to non approved servers
or if the TV is manually configured with Do53 or DoT servers and the TV’s configuration
is locked down.  Yes, TV’s do have the ability to lock this part of the configuration
down same as filters on program ratings can be enforced provided the data stream includes
the rating information.

The problem with DoH is that it makes filtering difficult.  That is both a good and
a bad thing depending on your perspective and responsibilities.  It’s a pandora’s box.

> -- 
> 
> / daniel.haxx.se
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org