Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 21 August 2018 15:01 UTC

Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279B5130EE9 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 08:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.019
X-Spam-Level:
X-Spam-Status: No, score=-6.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTnclwfKXdW9 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 08:01:20 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 487A8130F05 for <dnsop@ietf.org>; Tue, 21 Aug 2018 08:01:20 -0700 (PDT)
Received: from [IPv6:2001:718:1a02:1::3e0] (unknown [IPv6:2001:718:1a02:1::3e0]) by mail.nic.cz (Postfix) with ESMTPSA id 9DF23616FA; Tue, 21 Aug 2018 17:01:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1534863678; bh=WcUgXsf5Boerie7Ta9228ZkNzeg+xUa3CZKvpjToCuE=; h=To:From:Date; b=xCrR1blI9C+JmzueAiw+X77OB/ffQPLQss25xSDewLimrctF5y4xBQI5XI7XwV6wB /ZaN46/4j77mNWHbjWRSWMrprj1h+1FnXCRJw0qdgLIQ71cwo0aNPiwv/H/jwsC/lJ cFHCYXRwNOt7q5FB0xndahLXYye01eFSfqIYk8lM=
To: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com> <m1fs7wB-0000GtC@stereo.hq.phicoh.net>
Cc: dnsop@ietf.org
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABzTBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej7CwZcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3M7BTQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAcLBZQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA==
Message-ID: <63b113eb-9372-b622-b346-5d926f0b5d9a@nic.cz>
Date: Tue, 21 Aug 2018 17:01:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <m1fs7wB-0000GtC@stereo.hq.phicoh.net>
Content-Type: multipart/alternative; boundary="------------8D05A92FA48D00077DE5882F"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XuUSHXenxXNSbiqW-oTQ7vYZ940>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 15:01:28 -0000

On 08/21/2018 04:47 PM, Philip Homburg wrote:
>> If I got it well, what you are trying to bypass is your ISP's
>> security filter that prevents you from connecting to malware or to
>> illegal content (e.g. intellectual property violations and the
>> likes). 
> As a user, I think there is little reason to trust an ISP.
>
> If you take a mobile device, do you trust every hotel, bar, etc. where you
> may connect to the wifi? Are they all competent? Are you sure none of them will
> violate your privacy?

Then you have a problem that's not solvable in DNS itself (yet).  That's
what people usually forget to consider.

The hostnames are clear-text in https hanshakes (so far), and it seems
relatively easy to collect those.  So, by tunneling *only* DNS you don't
make it much more difficult for the ISP, and in addition you share the
names with some other party.  That doesn't sound very appealing to me
personally, from privacy point of view at least.  (On the other hand,
big resolvers will have lots of cached answers, etc.)

https://tools.ietf.org/html/draft-rescorla-tls-esni-00

After SNI encryption gets widely deployed, tracking through IP addresses
only will be somewhat harder, so there it will start getting
interesting.  Until then, IMHO you just need to either trust the ISP or
tunnel *all* traffic to somewhere, e.g. via tor or VPN to some trusted
party.

--Vladimir