Re: [DNSOP] NSA says don't use public DNS or DoH servers

Stephane Bortzmeyer <> Fri, 22 January 2021 08:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9E973A11F2 for <>; Fri, 22 Jan 2021 00:51:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2pVRSsm7QPrW for <>; Fri, 22 Jan 2021 00:51:07 -0800 (PST)
Received: from ( [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9AE613A11BD for <>; Fri, 22 Jan 2021 00:51:07 -0800 (PST)
Received: from (localhost []) by (Postfix) with SMTP id A41BD28156B; Fri, 22 Jan 2021 09:51:04 +0100 (CET)
Received: by (Postfix, from userid 500) id 4136328156D; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: from (unknown []) by (Postfix) with ESMTP id 398E7281567; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id 35D1760911A0; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: by (Postfix, from userid 1000) id 23B9140221; Fri, 22 Jan 2021 09:50:34 +0100 (CET)
Date: Fri, 22 Jan 2021 09:50:34 +0100
From: Stephane Bortzmeyer <>
To: John Levine <>
Message-ID: <>
References: <20210118212720.5E3806B53EC8@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20210118212720.5E3806B53EC8@ary.qy>
X-Operating-System: Debian GNU/Linux 10.7
X-Kernel: Linux 4.19.0-13-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2
X-PMX-Version:, Antispam-Engine:, Antispam-Data: 2021.1.22.84219, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2021.1.22.5790000
Archived-At: <>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 08:51:17 -0000

On Mon, Jan 18, 2021 at 04:27:20PM -0500,
 John Levine <> wrote 
 a message of 18 lines which said:

> They think DoH is swell, but not when it bypasses security controls
> and leaks info to random outside people 

I will certainly do as the NSA says, since they are experts in
privacy-related issues (and in random numbers since they call "random"
the resolver that is configured in my browser) but, to add fuel to the
fire, the people at JSOF who discovered the DNSpooq vulnerability just
said the opposite:

"A good workaround would be to use DNS-over-HTTPS (DoH) or
DNS-over-TLS (DoT)," Oberman said.

"Another option would be to statically configure a trusted DNS server,
like Cloudflare or Google DNS servers, so that DNS requests are not
handled by the home router and go directly to the [remote] DNS server.