Re: [DNSOP] NSA says don't use public DNS or DoH servers
Stephane Bortzmeyer <bortzmeyer@nic.fr> Fri, 22 January 2021 08:51 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E973A11F2 for <dnsop@ietfa.amsl.com>; Fri, 22 Jan 2021 00:51:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pVRSsm7QPrW for <dnsop@ietfa.amsl.com>; Fri, 22 Jan 2021 00:51:07 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AE613A11BD for <dnsop@ietf.org>; Fri, 22 Jan 2021 00:51:07 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id A41BD28156B; Fri, 22 Jan 2021 09:51:04 +0100 (CET)
Received: by mx4.nic.fr (Postfix, from userid 500) id 4136328156D; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: from relay01.prive.nic.fr (unknown [10.1.50.11]) by mx4.nic.fr (Postfix) with ESMTP id 398E7281567; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 35D1760911A0; Fri, 22 Jan 2021 09:50:59 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 23B9140221; Fri, 22 Jan 2021 09:50:34 +0100 (CET)
Date: Fri, 22 Jan 2021 09:50:34 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: John Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Message-ID: <20210122085034.GA25123@nic.fr>
References: <20210118212720.5E3806B53EC8@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20210118212720.5E3806B53EC8@ary.qy>
X-Operating-System: Debian GNU/Linux 10.7
X-Kernel: Linux 4.19.0-13-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2
X-PMX-Version: 6.4.9.2830568, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2021.1.22.84219, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2021.1.22.5790000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Jrb550GolhC4V_eDx2GcIffFHSM>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 08:51:17 -0000
On Mon, Jan 18, 2021 at 04:27:20PM -0500, John Levine <johnl@taugh.com> wrote a message of 18 lines which said: > They think DoH is swell, but not when it bypasses security controls > and leaks info to random outside people I will certainly do as the NSA says, since they are experts in privacy-related issues (and in random numbers since they call "random" the resolver that is configured in my browser) but, to add fuel to the fire, the people at JSOF who discovered the DNSpooq vulnerability just said the opposite: https://www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/ "A good workaround would be to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)," Oberman said. "Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server.
- [DNSOP] NSA says don't use public DNS or DoH serv… John Levine
- Re: [DNSOP] NSA says don't use public DNS or DoH … Wes Hardaker
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Tom Pusateri
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Vladimír Čunát
- Re: [DNSOP] NSA says don't use public DNS or DoH … Stephane Bortzmeyer
- Re: [DNSOP] NSA says don't use public DNS or DoH … Michael Richardson