Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
Paul Vixie <paul@redbarn.org> Mon, 11 March 2019 18:07 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E6F1277D8; Mon, 11 Mar 2019 11:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxfClxhhGPzR; Mon, 11 Mar 2019 11:07:06 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2DD61311C7; Mon, 11 Mar 2019 11:06:58 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:6529:414d:1c66:203e] (unknown [IPv6:2001:559:8000:c9:6529:414d:1c66:203e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 9BB00892C6; Mon, 11 Mar 2019 18:06:58 +0000 (UTC)
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Warren Kumari <warren@kumari.net>, Jim Reid <jim@rfc1035.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <FACB852B-4BC4-4234-A728-9068708EFB10@rfc1035.com> <CAHw9_iKc5_i+rC-oOe3RJufFe_Jm3GmTN4UbQ6VLpcqodR8d9g@mail.gmail.com> <8855871d-c059-3938-12a1-62f21c089e1d@redbarn.org> <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <5456b9d9-844f-f410-3935-2b2d3ae22745@redbarn.org>
Date: Mon, 11 Mar 2019 11:06:56 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.11
MIME-Version: 1.0
In-Reply-To: <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6S6z02yVf40_h9ydaMZEWyAGhig>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:07:08 -0000
Ted Hardie wrote on 2019-03-11 10:02: ... > no other off-network RDNS is reachable by malware which somehow gets > into my network, > > > I interpret this to mean that you have blocked DNS over TLS's well-known > port (853), so that Quad 9 and other services offering it are not > accessible. Is that correct, or do you mean something more extensive? that's it. because before DoH, it was possible to outlaw off-net 53 and 853 except when coming from my local RDNS servers. because unlike DoH, those protocols are not designed to prevent on-path interference. > As several other folks have pointed out, roll-your-own resolution is in > some pretty widely used applications, but I'm not aware of any > comprehensive list or any way to block that short of removing the > applications once found. Is there a technique here I'm not aware of? famously, my chromecast ultra would not let itself out of setup mode until it was allowed to reach 8.8.8.8 on UDP/53. https://www.businessinsider.com/paul-vixie-blasts-google-chromecast-2019-2 my solution was to operate a server on 8.8.8.8 (and 8.8.4.4, and 9.9.9.9, and 1.1.1.1) locally. DoH will moot that approach. (by design.) i'm studying my alternatives, since i also use 'dnstap' to detect behavioural abnormalities, and DNS RPZ for parental (and botnet, and IoT) controls. it won't be pretty and it won't be cheap. (by design.) -- P Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Warren Kumari
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ask Bjørn Hansen
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Michael Sinatra
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Raymond Burkholder
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Raymond Burkholder
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Winfield, Alister
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator John Todd
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ralf Weber
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator John Levine
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Lemon
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Christian Huitema
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Winfield, Alister
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Christian Huitema
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator nalini elkins
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Joe Abley
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Adam Roach
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator 神明達哉
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator John Levine
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jim Reid
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Wes Hardaker
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Christian Huitema
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Eric Rescorla
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ray Bellis
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Winfield, Alister
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator sthaug
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Joe Abley
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Winfield, Alister
- Re: [DNSOP] [EXTERNAL] Re: [Doh] New I-D: draft-r… Joe Abley
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Ted Lemon
- Re: [DNSOP] [Doh] (dhc discovery) New I-D: draft-… Normen B. Kowalewski
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Bill Woodcock
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Livingood, Jason
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Joe Abley
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Puneet Sood
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Richard Bennett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Richard Bennett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Wes Hardaker
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Vittorio Bertola
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Paul Wouters
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Olli Vanhoja
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Daniel Stenberg
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Mark Andrews
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ian Swett
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… sthaug
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Valentin Gosu
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ray Bellis
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Eliot Lear
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Stephen Farrell
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Eliot Lear
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ray Bellis
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator Puneet Sood
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… Paul Vixie
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… tirumal reddy
- Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-r… tirumal reddy