IETF Logo Mail Archive

Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Ted Lemon <mellon@fugue.com> Tue, 19 March 2019 13:10 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9488212787F for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 06:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCbjB15Lbf49 for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 06:10:37 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE1A127B50 for <doh@ietf.org>; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id x12so5842547qts.7 for <doh@ietf.org>; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/Qhd1Cihr66UTzcwXAwzHZLhchzWgnYIdERUCaw/mYM=; b=OJAIklVvMtBuSfI3XfW5LgNmaK20TcStIMkUAS2Q4fHVOlqBWFWnX6IyzyrrjLEVlQ BrLmTIfhqZjWqk3xJGmQ4rbXArRoOot4w8kk1uX2rOHq6fs2kjCaU8TbCZaHfqZu5hGd XJgHY6MIK0+h0XhtQ4TCt87UqWYvrqFrviaCSJ/TDA241RZw5ttTRXEXrGucXEbjsBsk hYbClDz5dN1zdp4qKEIKm2eHfqVHGu1dShrU8MJhF9xjDdHDkVkoeGuUBqPzs1Q73AS5 t4J6D9S141eQZ9NVUoh/5SK/TGTjyFR9fEHH0LCyFTwEmQjrwY3lFGV6cIJzF75bqEbL xMiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/Qhd1Cihr66UTzcwXAwzHZLhchzWgnYIdERUCaw/mYM=; b=FwjFPeFWn7sZlNJK579qTn9MuhoiCuuQzQ3j9UVfMolyu7xD62hW6FLwWGYtacw8Bn HyeLmwmfROIOyD6HmCqUNKcPyoautbB+1LwxpLy9CIN6PfVcsWE4y1Nmr9WTHAhwvldI EwXyg8WhxlV+3CGg6fMD6tXCV1Kb5XmrYZ19hH96AYytrAoSuqehPrb1GJpZ1rgEl7Cb 63fo1IEgJm4hnKKbRaWOqNK6qTTjVoIzoM4fQrjBkQGbF2S5HUSZk8cvkLLpQtzYKrm5 tMijpfNK4WpGLF2cyplg1tAW4hNrlEcH6A7PPISkVOimIMuTdLT4+4S2PooIUCAqkbJh J+OA==
X-Gm-Message-State: APjAAAWgJjuh3x1x8r+gUTMzVCxoGMGErz1xviqgsxD3Mc6Ht8HGw/ZQ EdOr+shQH0t2+Jz/PE7FFMTUEHgah3kr7w==
X-Google-Smtp-Source: APXvYqyxumtiZqi3X0D2/AvfQV4M12epFrcTSDSPiOiz1yRslMM2z4AMf9PyH3LNGDJCZ5Kj8fMv1g==
X-Received: by 2002:a0c:9e6b:: with SMTP id z43mr1795758qve.131.1553001036063; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
Received: from [10.0.100.12] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id a20sm3396322qth.88.2019.03.19.06.10.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2019 06:10:35 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <0E83C55B-2546-4C8B-80DB-8E8403C8CA47@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_48A189CD-161E-449B-9CC5-76EF0D1FBBC8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Date: Tue, 19 Mar 2019 09:10:31 -0400
In-Reply-To: <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com>
Cc: DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
To: Eliot Lear <lear@cisco.com>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com> <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/13ypoqb39HRbxynt1Ksql1eUSvM>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 13:10:39 -0000

On Mar 19, 2019, at 3:50 AM, Eliot Lear <lear@cisco.com> wrote:
> It might also be possible to whitelist ANSWERs into iptables. I wrote the code for that for a dnscap plugin some years ago, and you could even play with it if you want (it’s on GitHub), but I’m not suggesting it’s a good general answer (it was intended for a very specific use case involving relatively few domains for (hopefully cooperating) IoT devices).  As you point out, it won’t tackle shared IP addresses, and quite frankly, little CPE gear won’t scale with a gazillion iptables entries (I’m not sure big gear would either).

Link?

v2.15.0 | Report a Bug | By Email