Re: [DNSOP] NSA says don't use public DNS or DoH servers

Paul Vixie <> Fri, 22 January 2021 01:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0620E3A0F41 for <>; Thu, 21 Jan 2021 17:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.75
X-Spam-Status: No, score=-0.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.149] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BEvpjWyqg7rS for <>; Thu, 21 Jan 2021 17:59:04 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E05CD3A0F3A for <>; Thu, 21 Jan 2021 17:59:04 -0800 (PST)
Received: by (Postfix, from userid 716) id 4A634C3F03; Fri, 22 Jan 2021 01:59:02 +0000 (UTC)
Date: Fri, 22 Jan 2021 01:59:02 +0000
From: Paul Vixie <>
Message-ID: <>
References: <20210118212720.5E3806B53EC8@ary.qy> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 01:59:06 -0000

On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote:
> "John Levine" <> writes:
> > They think DoH is swell, but not when it bypasses security controls
> > and leaks info to random outside people
> At least 15% of network operators seem to agree.

i think the makers of canary-respecting DNS stub resolvers are still
figuring things out, and that if canary domains become prevalent,
especially among surveillance capitalist ISPs or surveillance
authoritarian states, the days of canary domains will change or end.

for my own networks, i won't install a canary domain, because that's
a late-imposed change, unreliable, and a negative externality. any
stub resolver who uses any DNS service other than the one i hand out
in my DHCP assignments will be removed from the network.

(new behaviour should require new signalling. let networks who want to
permit DNS bypass either by "use" or "use DoH" or otherwise,
signal this by adding a new canary domain, or a new DHCP option.
absent new signalling, behaviour should not change.)

Paul Vixie