Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Raymond Burkholder <> Wed, 13 March 2019 03:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DBAE1277DB; Tue, 12 Mar 2019 20:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QZpXNNcldsPs; Tue, 12 Mar 2019 20:05:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F0D312705F; Tue, 12 Mar 2019 20:05:17 -0700 (PDT)
X-One-Unified-MailScanner-Watermark: 1553051114.94864@SF0/2f51EuEo2gshRMRQUQ
X-One-Unified-MailScanner: Not scanned:
X-One-Unified-MailScanner-ID: x2D35Ba3015270
X-OneUnified-MailScanner-Information: Please contact the ISP for more information
Received: from [] ( [] (may be forged)) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4) with ESMTP id x2D35Ba3015270 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Wed, 13 Mar 2019 03:05:12 GMT
To: Ted Hardie <>, Paul Vixie <>
Cc: DoH WG <>, dnsop <>
References: <> <> <> <3457266.o2ixm6i3xM@linux-9daj> <>
From: Raymond Burkholder <>
Organization: One Unified Net Limited
Message-ID: <>
Date: Tue, 12 Mar 2019 21:05:10 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Mar 2019 03:05:19 -0000

On 2019-03-12 1:15 p.m., Ted Hardie wrote:
>     that's precisely the goal, because very few network operators can
>     preordain
>     the users and apps that will connect through their networks.

but there are more than just network operators.  There are security 
people at all levels of organizations who are extremely interested and 
who are empowered to manage/monitor what is happening inside a network. 
DoH removes much of this power.  I'm not sure if that is a 'good thing'.

> I do not believe this goal is met by what you describe, since an 
> application can use a proprietary resolution service in its flows.  
> Imagine for a moment an application on a smart TV that wants to provide 
> content from the closest server which contains that content.  It can use 
> a redirect from the original server when a new, closer server comes 
> online (or when a different server has that content), and it can provide 
> the mapping between that server and one or more addresses for that 
> server with the redirect, in whatever format its individual cache can 
> store.  All of this can take place within its confidential channel, 
> using whatever proprietary format they find convenient.  In that case, 
> the local network will see new flows to the new servers without having 
> observed the resolution event.  Blocking destinations for which you have 
> seen no resolution events will work for a subset of these cases, but it 
> won't work when the resolution points to a common CDN destination.  That 
> approach will, of course, also have a wide variety of failure modes when 
> the resolution event data is incomplete for timing or other reasons; it 
> will also block all of the flows which MUD would handle.

I think that is to be expected:  when a network operator (enterprise, 
home, organization) is dynamically adjusting ip based rule-sets based 
upon what meta-data can be derived from flow inspection.  If a 
proprietary resolution service is used, then it is expected that 'by 
default blocks' will be performed if the traffic protection engine is 
not appraised of change.

If DoH is implemented, then traffic, whether it be lookup, or otherwise, 
in a 'default drop' scenario is just going to have to be, well, 'default 
dropped'.  Brute force I guess is the protection mechanism.

So, I think, then, this begs the question, how can the needs/desires of 
those in charge of security be balanced with the needs/desires of those 
who desiring to bypass inspection?

I guess the maxim 'my network, my rules' holds.  But what DoH will cause 
is an even increasing tightening of network rules.  With current passive 
DNS pass-through, DNSEC and such can remain unmolested, but at least 
follow-on flows can be identified for forensic or security or policy 
purposes.  With DoH, this correlation can not be performed, and thus, by 
default, a user's ability will be more restricted in order to prevent 
unknown unknowns from happening.

The only way around this, for a security operator's perspective, will be 
certificate insertion so that proxying can be performed. And we are back 
to what we currently have anyway.

Would a compromise be that, if someone requires personal security, the 
standard fall back would be to use a VPN?

>     to the extent
>     that monitoring ('dnstap') and controlling (DNS RPZ) dns lookups by
>     connected
>     users and apps is considered a vital local security policy, attempts
>     at such
>     "pass through" must be made to fail.
> Those are security mechanisms, rather than policy, and it may be worth 
> teasing apart what the actual desired security policy is.  You may find 
> that it is more easily implemented at the routing layer than the 
> resolution system in the light of proprietary resolution systems and DoH.

You've mentioned that 'security' is separate from 'policy' and then 
mention 'security policy'.  And I implicitly agree with the latter, 
security and policy go hand in hand, and are difficult to separate.

Handling at the routing layer is not possible.  Handling at the 
interrogation/interception/transparent-evaluation intelligence layers is 
where it begins.  This information then feeds the interior/perimeter 
protection layers.  The policies implement the security.

If the interrogation/interception/transparent-evaluation layers are 
unable to identify key interactions, then security is unable to be