Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Paul Vixie <paul@redbarn.org> Mon, 11 March 2019 18:07 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E6F1277D8; Mon, 11 Mar 2019 11:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxfClxhhGPzR; Mon, 11 Mar 2019 11:07:06 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2DD61311C7; Mon, 11 Mar 2019 11:06:58 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:6529:414d:1c66:203e] (unknown [IPv6:2001:559:8000:c9:6529:414d:1c66:203e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 9BB00892C6; Mon, 11 Mar 2019 18:06:58 +0000 (UTC)
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Warren Kumari <warren@kumari.net>, Jim Reid <jim@rfc1035.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <FACB852B-4BC4-4234-A728-9068708EFB10@rfc1035.com> <CAHw9_iKc5_i+rC-oOe3RJufFe_Jm3GmTN4UbQ6VLpcqodR8d9g@mail.gmail.com> <8855871d-c059-3938-12a1-62f21c089e1d@redbarn.org> <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <5456b9d9-844f-f410-3935-2b2d3ae22745@redbarn.org>
Date: Mon, 11 Mar 2019 11:06:56 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.11
MIME-Version: 1.0
In-Reply-To: <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6S6z02yVf40_h9ydaMZEWyAGhig>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:07:08 -0000


Ted Hardie wrote on 2019-03-11 10:02:
...
>     no other off-network RDNS is reachable by malware which somehow gets
>     into my network,
> 
> 
> I interpret this to mean that you have blocked DNS over TLS's well-known 
> port (853), so that Quad 9 and other services offering it are not 
> accessible.  Is that correct, or do you mean something more extensive?

that's it. because before DoH, it was possible to outlaw off-net 53 and 
853 except when coming from my local RDNS servers. because unlike DoH, 
those protocols are not designed to prevent on-path interference.

> As several other folks have pointed out, roll-your-own resolution is in 
> some pretty widely used applications, but I'm not aware of any 
> comprehensive list or any way to block that short of removing the 
> applications once found.  Is there a technique here I'm not aware of?

famously, my chromecast ultra would not let itself out of setup mode 
until it was allowed to reach 8.8.8.8 on UDP/53.

https://www.businessinsider.com/paul-vixie-blasts-google-chromecast-2019-2

my solution was to operate a server on 8.8.8.8 (and 8.8.4.4, and 
9.9.9.9, and 1.1.1.1) locally.

DoH will moot that approach. (by design.) i'm studying my alternatives, 
since i also use 'dnstap' to detect behavioural abnormalities, and DNS 
RPZ for parental (and botnet, and IoT) controls. it won't be pretty and 
it won't be cheap. (by design.)

-- 
P Vixie