IETF Logo Mail Archive

Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Erik Kline <ek@loon.co> Wed, 13 March 2019 23:13 UTC

Return-Path: <ek@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E705413120A for <dnsop@ietfa.amsl.com>; Wed, 13 Mar 2019 16:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.498
X-Spam-Level:
X-Spam-Status: No, score=-9.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.co
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljkok_sALVa9 for <dnsop@ietfa.amsl.com>; Wed, 13 Mar 2019 16:13:05 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 766B8131205 for <dnsop@ietf.org>; Wed, 13 Mar 2019 16:13:03 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id k21so3257528ior.13 for <dnsop@ietf.org>; Wed, 13 Mar 2019 16:13:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.co; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=OFnrGUirHDEeI3M8oP4fxuVnWcuwOLZrqh8h38+d60c=; b=TUVqlFiai/YE5Lh7YgQHgdzhg/iBtsHCm9CG5mGsUhKhA38EsTANpV27cW3kXTrMFF 5mWLmyPjMxaw5vSmkyfV6Qvc2CVLE8dR6WDKHTvVLwyLlNCN9+Tz0UHtQffQgw8Cb1eE yZ9iAb5krmOyJ4T4BVunzPon790WbUj44dCvg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=OFnrGUirHDEeI3M8oP4fxuVnWcuwOLZrqh8h38+d60c=; b=d6aejH9VS5jmVo/duZVPLvl9YYDsE0X14csWgLxvpDgz3zYTBafGW6SiAPZcB+aMCR lLVpQWKWxyM1k8ZzbOzE1keosYuul0ouJwhZ/3RVUlu4lbpUAPGJvHanvbw36d6fzIo8 qvxWHf0gf0tWRnOaGl4JZLK51/J0KqL+qzLVZuKW7ABtR83mfVCRyt//UyNBJGV26SpD PF25iFSQ9nY9oo/Lg+W6qOem3c/hnlbUCXYnmk4fSG+LxwNfTFZ3m+m73/3qOpO/pjfD FcNJbyuW+VcVoZGjg3M/jrnmW93Fscz8cieMqstFdu5hYOWKlbNAAoMF8WalryA+8MuF pcmg==
X-Gm-Message-State: APjAAAXZ2OV6jwOIf+BN47Y8wKlyg5RaA7sNiIIV9WTJFo52yARiFuIo mINv8s2bmVX6VxrGalFroA1B6Ja9cSQMSfGgHyarLOVWTEo=
X-Google-Smtp-Source: APXvYqzPtKN82x3GSNzYLX/OEcOx8rsdW9MZlUBio+b/ELPmYOR0sMxZRAgO+vCc7k4f7+3Dtl9aIC8eS5JfJxT2a90=
X-Received: by 2002:a6b:d80a:: with SMTP id y10mr7112690iob.114.1552518782382; Wed, 13 Mar 2019 16:13:02 -0700 (PDT)
MIME-Version: 1.0
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> <CADWWn7UVzu7SqP7AC4Vz_7gEM9Z04bPuvjZhpiBM68CphGOC=A@mail.gmail.com> <CAAedzxpRdrkw0k2Bh=5Scf55opgstzALUuLL_OvCM-ktKO_DWw@mail.gmail.com> <2083573.F0CxRkBYam@linux-9daj>
In-Reply-To: <2083573.F0CxRkBYam@linux-9daj>
Reply-To: ek@loon.co
From: Erik Kline <ek@loon.co>
Date: Wed, 13 Mar 2019 16:12:50 -0700
Message-ID: <CAAedzxpsQTmrnDymVeevj-msEFACCFeVegY0qqfWCY=rSH17TQ@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000885b5c058401f274"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dsEJHVLuzN9yVU_0fuEvSf7Kma0>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 23:13:07 -0000

On Wed, 13 Mar 2019 at 16:10, Paul Vixie <paul@redbarn.org> wrote:

> On Wednesday, 13 March 2019 19:23:55 UTC Erik Kline wrote:
> > > If there is a malicious user or app on a network that someone is
> trying to
> > > protect, isn't the very existence of these players the actual issue
> that
> > > needs to be addressed?
> >
> > I tend to think this is the real issue.  Any app can craft its own
> > non-cleartext-DNS name resolution service; DoH makes it a bit easier
> > perhaps, but not much (vis. JSON DNS, etc...).
>
> if you guys would appreciate a half day seminar on network security
> economics,
> in which the value of anomalousness will figure prominently, let's meet up.
>

I'd be a fool to turn down such an offer.  Thank you.

> My suspicion is that controlling a network's DNS is less and less likely
> to
> > be a decent control point for network security w.r.t. to the craftier
> > apps.
>
> your suspicion directly contradicts both my long-term and recent
> experience.
>
> > I'm sure the monitoring and interference with things looking up
> > "really-evil.evil" still has some value.  But much more sophistication is
> > probably required nowadays to deal with even moderately competent
> > adversaries...I suspect.
>
> alas, meeting only the most competent adversaries is not a choice we can
> make.
>
> vixie
>
>
>

v2.23.0 | Report a Bug | By Email