Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Daniel Stenberg <daniel@haxx.se> Mon, 25 March 2019 07:07 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BEC120365; Mon, 25 Mar 2019 00:07:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vzTiAQ1b8mOg; Mon, 25 Mar 2019 00:07:03 -0700 (PDT)
Received: from giant.haxx.se (www.haxx.se [IPv6:2a00:1a28:1200:9::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261C7120353; Mon, 25 Mar 2019 00:07:02 -0700 (PDT)
Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id x2P76sMw001019 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Mar 2019 08:06:54 +0100
Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id x2P76rGS000999; Mon, 25 Mar 2019 08:06:53 +0100
X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs
Date: Mon, 25 Mar 2019 08:06:53 +0100
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
cc: Patrick McManus <mcmanus@ducksong.com>, dnsop@ietf.org, doh@ietf.org
In-Reply-To: <128237212.13389.1553465639438@appsuite.open-xchange.com>
Message-ID: <alpine.DEB.2.20.1903250802420.17012@tvnag.unkk.fr>
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <128237212.13389.1553465639438@appsuite.open-xchange.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AiwY3H24tbCCxZ3m2JDK02ULh38>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 07:07:04 -0000

On Sun, 24 Mar 2019, Vittorio Bertola wrote:

> In today's "plain DNS" world, I choose a DNS resolver that provides that 
> kind of filters for me, I set it up on my router, and my router pushes it to 
> my smart TV via DHCP. What is the "existing configuration mechanism" that 
> allows me to set this policy in the DoH world, i.e. if the TV came equipped 
> with applications preconfigured to use their own remote resolver via DoH?

We can easily turn this example the other way around.

With Do53 in your TV, your kids can easily fool your TV with their own DHCP 
responses or by intercepting and intefering with the DNS traffic while you're 
at work.

With DoH used in the TV, set to use a trusted server, they can't.

-- 

  / daniel.haxx.se