[DNSOP] NSA says don't use public DNS or DoH servers
John Levine <johnl@taugh.com> Mon, 18 January 2021 21:27 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EA73A0B9B for <dnsop@ietfa.amsl.com>; Mon, 18 Jan 2021 13:27:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.852
X-Spam-Level:
X-Spam-Status: No, score=-1.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=uRW8wtmI; dkim=pass (2048-bit key) header.d=taugh.com header.b=mS4wooFj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UqShO-B1-54 for <dnsop@ietfa.amsl.com>; Mon, 18 Jan 2021 13:27:23 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 666643A0B91 for <dnsop@ietf.org>; Mon, 18 Jan 2021 13:27:23 -0800 (PST)
Received: (qmail 65408 invoked from network); 18 Jan 2021 21:27:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding:cleverness; s=ff7c.6005fd39.k2101; bh=R8qUeJsSgpm2FQCJjjBWOEHodIRFDYM8jBH0fwopc0c=; b=uRW8wtmIPND++OXSnDJs2KSAtBm2SuIawuDnqYcv+JThlcZy09dqKgN8le1Kg4XXofy4ZOD8ywaYu/Tj7kTKaDSfS3ITm8objG2hDp4Q4I6gyRpe8NBnCHFERrwZtuB6CUDHWRgb4yUmz+s2JbMa6f0gSb1IbLr8tAh7D7y7wx0g1aP9ff7L7fBv5lID/sW6ZhoUXpuHm7o+49UBmRt+zmEDCV+mUlp1O4lYL6B4bSwyPfVhIpRSK7xwIlT4IaK1w0HxdzpLbvIatuAYGPNHBusf+5nGehFTXnU0NCR4ZiS8k7aM9YeTNVaE5dpI3EXOQdDod3jF9CtnRc4jOtpB2w==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding:cleverness; s=ff7c.6005fd39.k2101; bh=R8qUeJsSgpm2FQCJjjBWOEHodIRFDYM8jBH0fwopc0c=; b=mS4wooFj5x50F0MOdMbFyZENEIWa0SoS3jYNFXbWLzYRHkfC1qUr18skUn5wfsuLtdz2wXuHFa3rNUxBppyKT8igN3myuGRiKe06iE+uFoR9yKryupUh/an+0Ed7K7SSuj/zOErBhUqQIK62O33K+gRUo5q7VlM+OZjXsdEcXHfKtqCYshb39ZO2+CF4aEQYcK6Nj8n0e3AJcLc+NExctsdQHqkuSc9J+zb/XS57ETcEN3KF1F88dZ9tdnt/IZbk/CjyxKjBrl4B83l6BcEipwdxTfKJIax1m14gmo2a4a8GLP6pABObL+7PoODOZuwjwsvfOtFPeim61FZar9ebYg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 18 Jan 2021 21:27:21 -0000
Received: by ary.qy (Postfix, from userid 501) id 5E3806B53EC8; Mon, 18 Jan 2021 16:27:20 -0500 (EST)
Date: Mon, 18 Jan 2021 16:27:20 -0500
Message-Id: <20210118212720.5E3806B53EC8@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ztExxBBYeMAq1vpAa0rNoa6VfpQ>
Subject: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2021 21:27:25 -0000
They think DoH is swell, but not when it bypasses security controls and leaks info to random outside people >From the summary: Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2471956/nsa-recommends-how-enterprises-can-securely-adopt-encrypted-dns/
- [DNSOP] NSA says don't use public DNS or DoH serv… John Levine
- Re: [DNSOP] NSA says don't use public DNS or DoH … Wes Hardaker
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Tom Pusateri
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Vladimír Čunát
- Re: [DNSOP] NSA says don't use public DNS or DoH … Stephane Bortzmeyer
- Re: [DNSOP] NSA says don't use public DNS or DoH … Michael Richardson