Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Eliot Lear <lear@cisco.com> Tue, 19 March 2019 13:13 UTC

Return-Path: <lear@cisco.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35BE7127B50; Tue, 19 Mar 2019 06:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ge0K7ASLc2y9; Tue, 19 Mar 2019 06:13:31 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DE212787F; Tue, 19 Mar 2019 06:13:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4741; q=dns/txt; s=iport; t=1553001211; x=1554210811; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=WY6J+4oL4RdEuRGkeRc4L7A60L7ZXYesECXSx8z4ay8=; b=XJzjCg0lH7RjgG8YfrIui6sNTbLZLLNj5O6yinwICRnmd2n/ELJAcn94 ft3cemUu3kSsrhr2MZ9cK1danJ5lpP8Mowlc/v5+oxt3ppXwLz+g9qMRR M1P8vvxjNEyYIm9oOhKgntCqZAXRxtW2Qj3qLZIqDGINTmCjnl+gY7tyY k=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A+AAA+6pBc/xbLJq1jGQEBAQEBAQEBAQEBAQcBAQEBAQGBZYEPgWpQIRInhAuIe4wzJZI8h3EIAwEBH4RNAoUNOBIBAQMBAQkBAwJtHAyFSgEBAQECASNWBQsLBAoKJwMCAkYRBhMfgwMBgW0IqVaBL4VGhGkKBYEvAYFIiX+Bf4E4DBOCTIMeAoE6gzExgiYDkWCTCQmEYYJ8i08ZixOIS5BCRYoYgnACBAYFAhWBXiGBVjMaCBsVZQGCQT6BWBeDS4pUPgMwh2iCTQEB
X-IronPort-AV: E=Sophos;i="5.58,498,1544486400"; d="asc'?scan'208,217";a="10837708"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Mar 2019 13:13:28 +0000
Received: from [10.61.226.181] ([10.61.226.181]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x2JDDRXO027526 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Mar 2019 13:13:28 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <2248B13A-6323-476F-920E-BBCFB59D62A5@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_2FA178C0-E462-4222-B3F3-B168F9B40130"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 19 Mar 2019 14:13:26 +0100
In-Reply-To: <0E83C55B-2546-4C8B-80DB-8E8403C8CA47@fugue.com>
Cc: DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
To: Ted Lemon <mellon@fugue.com>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com> <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com> <0E83C55B-2546-4C8B-80DB-8E8403C8CA47@fugue.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-Outbound-SMTP-Client: 10.61.226.181, [10.61.226.181]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fb_XvGPdEk_NQV8HSOqNI68BwhY>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 13:13:34 -0000


> On 19 Mar 2019, at 14:10, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Mar 19, 2019, at 3:50 AM, Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>> wrote:
>> It might also be possible to whitelist ANSWERs into iptables. I wrote the code for that for a dnscap plugin some years ago, and you could even play with it if you want (it’s on GitHub), but I’m not suggesting it’s a good general answer (it was intended for a very specific use case involving relatively few domains for (hopefully cooperating) IoT devices).  As you point out, it won’t tackle shared IP addresses, and quite frankly, little CPE gear won’t scale with a gazillion iptables entries (I’m not sure big gear would either).
> 
> Link?
> 


Sure.  It’s my branch off of dnscap.  https://github.com/elear/dnscap <https://github.com/elear/dnscap>.  See plugins/aclm.  Limited doc is available, but anyone who wants to play just let me know.

Eliot