Re: [DNSOP] NSA says don't use public DNS or DoH servers

Paul Vixie <paul@redbarn.org> Fri, 22 January 2021 02:58 UTC

Return-Path: <vixie@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 840C73A07EB for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 18:58:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSt_gLV2n7vc for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 18:58:33 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44E803A0813 for <dnsop@ietf.org>; Thu, 21 Jan 2021 18:58:33 -0800 (PST)
Received: by family.redbarn.org (Postfix, from userid 716) id 31BD7C3F03; Fri, 22 Jan 2021 02:58:32 +0000 (UTC)
Date: Fri, 22 Jan 2021 02:58:32 +0000
From: Paul Vixie <paul@redbarn.org>
To: Tom Pusateri <pusateri@bangj.com>
Cc: dnsop@ietf.org
Message-ID: <20210122025832.je52c5ys4dwbbmej@family.redbarn.org>
References: <20210122015902.jjuvgrxsok5ou5z3@family.redbarn.org> <2C89C47C-243F-4A42-86EE-019C8497EA47@bangj.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2C89C47C-243F-4A42-86EE-019C8497EA47@bangj.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d7AkSqrDgxOEqUBn70k3fZ0l770>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 02:58:35 -0000

On Thu, Jan 21, 2021 at 09:10:25PM -0500, Tom Pusateri wrote:
> 
> > On Jan 21, 2021, at 8:59 PM, Paul Vixie <paul@redbarn.org> wrote:
> > 
> > (new behaviour should require new signalling. let networks who want to
> > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise,
> > signal this by adding a new canary domain, or a new DHCP option.
> > absent new signalling, behaviour should not change.)
> 
> Would it be ok to allow DNSSEC signed responses from any server? If they???re signed and verified, does it matter how you got them?

no. if my dns firewall is whiting out a DGA botnet's C&C, or any answer
having an IP from a known-malicious ISP, or served by a known-bad name
server name (or IP)... then i want them whited out, period, for all end
systems on my network. DNS is part of my control plane and i'm not going
to negotiate with app or device makers as to why that's so or what i mean.

see also parental controls, corporate compliance controls, university
compliance controls, or any of the other use cases to be found here:

https://dnsrpz.info/

-- 
Paul Vixie