Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Olli Vanhoja <olli@zeit.co> Sun, 24 March 2019 23:19 UTC

Return-Path: <olli@zeit.co>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101C21201E8 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 16:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zeit-co.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0569WcT-67ao for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 16:19:12 -0700 (PDT)
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C30351201E3 for <dnsop@ietf.org>; Sun, 24 Mar 2019 16:19:11 -0700 (PDT)
Received: by mail-lj1-x242.google.com with SMTP id k8so6162267lja.8 for <dnsop@ietf.org>; Sun, 24 Mar 2019 16:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zeit-co.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2UsgL5LxolIDwz9iTIPHJEHjSjIe04bciK9cJH1ESag=; b=1pDNzNJky+z0k77dMyZQlyJZggVcub8BdrfggeCrLPS2h/TC/65nmHW2QsRlRXFsM2 4l9Ps6dMATcy5qMCJAkQwrRHxRZl6H85OFTNvM+aUEfw2cJbh+7iqSBQcHbG00T0XFFK Hj4xAhu1K07s3+mnh1Ntgz+LEim2CeTGiaHn8UAn2LsWzS8MggKdfv8HyMZeEGCKRmx/ Ynrv3ifGYeXRGDBHTeg6sEqJbTP+GlaMIkH0l2TZeicq+885km8CPCivRaN4DIYSS3U3 35Y75t4WdQvh4hcOTzPuG6XLzBpZK5Imj72Fn56sx4u/3+1iCTfQGMJbBTa+VwaDqCRh NsQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2UsgL5LxolIDwz9iTIPHJEHjSjIe04bciK9cJH1ESag=; b=ND522BMKHusWGhxQtjb/QfM4Y2do7JJo8Dtkfr1LlKhz14z3seP0PtUoWCxwIxxJSY e+tnPxmDftcoIcJxiCnUNn56PtYtlvoymtupmzwfYuWrTTTlrHSK7bNKIleZVQtWPQz/ XqaBSplDPI+HjhqLReufliDdAIceYw43NUrInf63JnTyBFlKmSwH+/lRn9GuGW+46LyV 7A2f2SSZA3+17i2fqG9IRHxZrhZ5xSumwSGXzNkwoiRg1kXNDNed+NAU3A7GHncVxufR ZfygLXSJI2j4FtOlB0enLbovOhswuqnp8SR1pY+DGDHLuzxlCoMFUBftQeV2di6pOl2L sWVw==
X-Gm-Message-State: APjAAAUCCNSi6RvGHgpa8lLRoGiy5kiMeElUOUbnZeBfaCOrq1/XR7GT f8BLXIMYtbHIzNNzm8Zciw7ZBegUKuIhvDk0teYwDEo0CSI=
X-Google-Smtp-Source: APXvYqxIL+OpS71EnM8t+TdXUYbiwwtfN9kOWW+v3RfVk8rsaQZFw37LT417AkEIzh39c4yRDRHOUy/SQk6xVY4jI4I=
X-Received: by 2002:a2e:1245:: with SMTP id t66mr11639254lje.18.1553469549841; Sun, 24 Mar 2019 16:19:09 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <128237212.13389.1553465639438@appsuite.open-xchange.com>
In-Reply-To: <128237212.13389.1553465639438@appsuite.open-xchange.com>
From: Olli Vanhoja <olli@zeit.co>
Date: Mon, 25 Mar 2019 00:18:58 +0100
Message-ID: <CABrJZ5Hskv1p5ju24gKQrW6odmG4EFmVFWk-xb09w2awp5tdnA@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Cc: Patrick McManus <mcmanus@ducksong.com>, dnsop <dnsop@ietf.org>, doh@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BO6lUl9eilkwzGXFrz_-jpu00Uc>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 23:19:13 -0000

On Sun, Mar 24, 2019 at 11:14 PM Vittorio Bertola
<vittorio.bertola=40open-xchange.com@dmarc.ietf.org>; wrote:
>
> In today's "plain DNS" world, I choose a DNS resolver that provides that kind of filters for me, I set it up on my router, and my router pushes it to my smart TV via DHCP. What is the "existing configuration mechanism" that allows me to set this policy in the DoH world, i.e. if the TV came equipped with applications preconfigured to use their own remote resolver via DoH?
>
> As a minimum, I would have to open all the applications and configure them one by one to use my desired resolver, and repeat this for every device connected to my network - while in the current situation this is all automated after I configure the resolver once on my router. But applications like Firefox might completely refuse to use the resolver I want, advertised by my router on my behalf, because it does not support DoH, or it does but is not on their list of "trusted resolvers". And Javascript bits in the pages I visit might use DoH to pre-encoded servers without even offering me any configuration.
>

I think configuring every application, operating system, or platform
to do the filtering is the right way regardless of the existence of
DoH. I wouldn't trust that the opinion given by a DHCP server is what
will be really used by all clients. If you need to check that's what
is really happening, wouldn't it require about the same effort to
configure the parental control features that are already provided by
many vendors. I also believe that's a lot easier thing to do for the
average user.

If you really want a DIY solution, why don't you look into the actual
HTTP(S) traffic and SNIs?