Re: [DNSOP] extension of DoH to authoritative servers

Paul Vixie <> Tue, 12 February 2019 22:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD9BB130DD8 for <>; Tue, 12 Feb 2019 14:45:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bHkM07aJHpN3 for <>; Tue, 12 Feb 2019 14:45:54 -0800 (PST)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 49806126C01 for <>; Tue, 12 Feb 2019 14:45:54 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 20609892C6; Tue, 12 Feb 2019 22:45:54 +0000 (UTC)
To: Ted Lemon <>
Cc: David Conrad <>, dnsop <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Tue, 12 Feb 2019 14:45:54 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Feb 2019 22:45:56 -0000

Ted Lemon wrote on 2019-02-12 14:20:
> ...
> So you’re saying that DoH traffic that’s not going to well-known IP 
> addresses is easier to detect than DoH traffic going to well-known IP 
> addresses?

yes, that's what i've been trying to say. if CF only publishes DoH 
content on, then i can just block that, and leave their main 
HTTPS server addresses alone. same for google, opendns/umbrella/cisco, 
ibm, and the others. one of my networks only allows TCP/443 to 
explicitly enumerated destinations... one of which is the main service 
address for google. i need that to never contain DoH traffic, please.

note, i prefer to block UDP/53, TCP/53, and TCP/853, because then my 
risks are lower, and my costs for managing those risks also lower. and 
that's why DoT is a better _engineered_ solution than DoH. i remember a 
time when the IAB would have said "no" to an internet standard which 
mandated deliberate loss of control by network operators. hey you kids, 
get offa my lawn, and so on.

P Vixie