Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Jacques Latour <Jacques.Latour@cira.ca> Wed, 20 March 2019 19:31 UTC

Return-Path: <Jacques.Latour@cira.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 456FF130FC7; Wed, 20 Mar 2019 12:31:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dE6smN2UWLe; Wed, 20 Mar 2019 12:31:55 -0700 (PDT)
Received: from mx2.cira.ca (mx2.cira.ca [192.228.22.117]) by ietfa.amsl.com (Postfix) with ESMTP id 993781288AB; Wed, 20 Mar 2019 12:31:55 -0700 (PDT)
X-Virus-Scanned: by SpamTitan at cira.ca
Received: from CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) by CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1531.3; Wed, 20 Mar 2019 15:31:54 -0400
Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7%13]) with mapi id 15.01.1531.010; Wed, 20 Mar 2019 15:31:54 -0400
From: Jacques Latour <Jacques.Latour@cira.ca>
To: Adam Roach <adam@nostrum.com>, Jared Mauch <jared@puck.nether.net>, "Brian Dickson" <brian.peter.dickson@gmail.com>
CC: Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>, paul vixie <paul@redbarn.org>, Michael Sinatra <michael@brokendns.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
Thread-Index: AQHU30jRzIqBQt8xXUeC8PFs/ddm0KYU5d0Q
Date: Wed, 20 Mar 2019 19:31:54 +0000
Message-ID: <37da69429cbf49e480db5355deafddd2@cira.ca>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <6c5968b28fc04566aa71df4c6666e8e2@cira.ca> <81ec8759-fcaf-c559-de75-b08f25a75d81@nostrum.com>
In-Reply-To: <81ec8759-fcaf-c559-de75-b08f25a75d81@nostrum.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.4.56]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pEIlvQ2anQR789MrJtqgxEVy18o>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 19:31:58 -0000

It's not what you access, it's what you block, since reverse DNS is not a good solution in this instance, you need to map the DNS block list to it's IP addresses and block those IPs, and readjust based on TTL, you'll end up blocking more stuff than intended, huge mess, but if you can't trust the DNS to be clean then that's one option to enforce a security policy when browsers are using DoH. This should probably go in draft-livingood-doh-implementation-risks-issues

Jacques

>-----Original Message-----
>From: Adam Roach <adam@nostrum.com>;
>Sent: March 20, 2019 2:15 PM
>To: Jacques Latour <Jacques.Latour@cira.ca>;; Jared Mauch
><jared@puck.nether.net>;; Brian Dickson <brian.peter.dickson@gmail.com>;
>Cc: Ted Hardie <ted.ietf@gmail.com>;; DoH WG <doh@ietf.org>;; dnsop
><dnsop@ietf.org>;; paul vixie <paul@redbarn.org>;; Michael Sinatra
><michael@brokendns.net>;; Stephen Farrell <stephen.farrell@cs.tcd.ie>;
>Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
>
>On 3/20/19 12:59 PM, Jacques Latour wrote:
>> I'm trying to balance in my mind the requirements to protect the DNS
>> vs. what is happening on the wire, in the end, the browser will
>> connect to an IP address which can be (in most case) mapped to a
>> domain name
>
>
>I don't think this second assertion is true in 2019. See if you can make even a
>first-order reasonable guess what I'm accessing at 172.217.1.129 or
>23.227.38.32 or 52.40.19.98 or 216.105.38.15 or 104.20.1.85.
>
>(Hint: I took these all from sites I visit frequently, and none are particularly
>obscure sites)
>
>/a