Re: [DNSOP] NSA says don't use public DNS or DoH servers
Paul Vixie <paul@redbarn.org> Fri, 22 January 2021 01:59 UTC
Return-Path: <vixie@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0620E3A0F41 for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 17:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.75
X-Spam-Level:
X-Spam-Status: No, score=-0.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.149] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEvpjWyqg7rS for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 17:59:04 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05CD3A0F3A for <dnsop@ietf.org>; Thu, 21 Jan 2021 17:59:04 -0800 (PST)
Received: by family.redbarn.org (Postfix, from userid 716) id 4A634C3F03; Fri, 22 Jan 2021 01:59:02 +0000 (UTC)
Date: Fri, 22 Jan 2021 01:59:02 +0000
From: Paul Vixie <paul@redbarn.org>
To: dnsop@ietf.org
Message-ID: <20210122015902.jjuvgrxsok5ou5z3@family.redbarn.org>
References: <20210118212720.5E3806B53EC8@ary.qy> <ybl8s8lhng6.fsf@w7.hardakers.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ybl8s8lhng6.fsf@w7.hardakers.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GRl-0eM_RU5szLjUS5SU-O5JW_A>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 01:59:06 -0000
On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: > "John Levine" <johnl@taugh.com> writes: > > > They think DoH is swell, but not when it bypasses security controls > > and leaks info to random outside people > > At least 15% of network operators seem to agree. > > https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html i think the makers of canary-respecting DNS stub resolvers are still figuring things out, and that if canary domains become prevalent, especially among surveillance capitalist ISPs or surveillance authoritarian states, the days of canary domains will change or end. for my own networks, i won't install a canary domain, because that's a late-imposed change, unreliable, and a negative externality. any stub resolver who uses any DNS service other than the one i hand out in my DHCP assignments will be removed from the network. (new behaviour should require new signalling. let networks who want to permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, signal this by adding a new canary domain, or a new DHCP option. absent new signalling, behaviour should not change.) -- Paul Vixie
- [DNSOP] NSA says don't use public DNS or DoH serv… John Levine
- Re: [DNSOP] NSA says don't use public DNS or DoH … Wes Hardaker
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Tom Pusateri
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Vladimír Čunát
- Re: [DNSOP] NSA says don't use public DNS or DoH … Stephane Bortzmeyer
- Re: [DNSOP] NSA says don't use public DNS or DoH … Michael Richardson