Re: [Doh] Mozilla's plans re: DoH

<> Thu, 28 March 2019 09:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C78E31200FB for <>; Thu, 28 Mar 2019 02:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y7SnFfhMC_dO for <>; Thu, 28 Mar 2019 02:04:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B93D12011C for <>; Thu, 28 Mar 2019 02:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=dtag1; t=1553763866; x=1585299866; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Fi7fUAA80jAnskwdC42/bW0LAK615iRlyVptIPOpMNo=; b=ygKFD0ArpmyjEh69/DNp9Q0reX2vYRNGT0Qb0Kg4Njq7OJIVoQjw/PJs wi5cJEh2NuPybb30bA7mRccJhDqHFSx6bGd3IrRi5RziQ1uBpIwepRFAO TEvjOoe7w7CUm7DWOwS0tlpHqUcRoifbzHdLBO0hgP0UeCZQTYk7yM5q3 Z3b6NhE+PJ11PWwFCGieF11cEsVWYhEoQrSAJricQvSXgWj2YNgS9aHo/ 4k9KvMmaB2Pn3pc6eaaw9skCAGA7cwoUYUJXS0oVGQi9Fb3IlJkU85Q4y ZTU9c/po/UwKENdiSlDm8fPtK4e46KnLIO3A+uuhL+BSnrnpHmQSvrj+t Q==;
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 10:04:23 +0100
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 28 Mar 2019 10:03:42 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 10:03:41 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 28 Mar 2019 10:03:41 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 10:03:40 +0100
Received: from LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE ( by LEJPR01MB0380.DEUPRD01.PROD.OUTLOOK.DE ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Thu, 28 Mar 2019 09:03:41 +0000
Received: from LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE ([fe80::2440:a932:99b5:4c2d]) by LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE ([fe80::2440:a932:99b5:4c2d%6]) with mapi id 15.20.1730.019; Thu, 28 Mar 2019 09:03:41 +0000
From: <>
To: <>, <>
Thread-Topic: [Doh] Mozilla's plans re: DoH
Thread-Index: AQHU5LhCCdDO08my+0ygyUoIXX2xRKYgvFVA
Date: Thu, 28 Mar 2019 09:03:41 +0000
Message-ID: <LEJPR01MB0377830D1703F031E7C697B798590@LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE>
References: <> <> <>
In-Reply-To: <>
Accept-Language: de-DE, en-US
Content-Language: de-DE
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2dd89a54-47c1-49f4-321f-08d6b35c45fa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:LEJPR01MB0380;
x-ms-traffictypediagnostic: LEJPR01MB0380:
x-microsoft-antispam-prvs: <LEJPR01MB0380E15D5322211246DA4E1998590@LEJPR01MB0380.DEUPRD01.PROD.OUTLOOK.DE>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(366004)(376002)(346002)(39860400002)(189003)(199004)(7696005)(486006)(106356001)(74482002)(105586002)(72206003)(68736007)(11346002)(75402003)(8676002)(81166006)(110136005)(71200400001)(81156014)(476003)(5660300002)(71190400001)(66574012)(316002)(256004)(446003)(66066001)(26005)(55016002)(186003)(102836004)(86362001)(3846002)(53546011)(52396003)(14454004)(6116002)(53936002)(305945005)(33656002)(478600001)(8936002)(7736002)(2906002)(9686003)(76176011)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:LEJPR01MB0380; H:LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1sAhHfw3WfrpdGRYkPK04qyupXkgFGvYNvz+LxMIs/qCOL0IBHFTR1XZFCjD1GufrUT5E1+/BaPgC4eQA2hF+XlSfc8K48p/EB5MI0tze8xnMmTotAqM9ohiVvXblJJnZ0nRdBxUsNUamNAbI84xSvOUr/BUt235xWAjKf8wHlK2vXns5Wgmbefhv9VVYeXXYs47hQxiU+98yC87/j5pJVrJzIRoT3gNcygNYPOEPo0c+7NG5ha6B8496W4cM76bmFKsNCoTJhwrNXsDmjtMBPG+1xZkF5tL/lfmnlxPZ7umrrR384kNOz5686m3OmQ5TNHtfleP2A/kCTpMzBC+idsob2XHSsoIU9NkBk865vSJYBcZUOdfykymQU36AgO+4+sztZqeZvTj+NqSbyF2a/1j3lGRJYnC00nWet6hduQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2dd89a54-47c1-49f4-321f-08d6b35c45fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 09:03:41.1331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LEJPR01MB0380
Archived-At: <>
Subject: Re: [Doh] Mozilla's plans re: DoH
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Mar 2019 09:04:29 -0000


-----Ursprüngliche Nachricht-----
Von: Doh <> Im Auftrag von Neil Cook
Gesendet: Mittwoch, 27. März 2019 17:15
An: DoH WG <>
Betreff: Re: [Doh] Mozilla's plans re: DoH

>> On 27 Mar 2019, at 09:24, Eric Rescorla <> wrote:
>>Now with the numbered lists correctly formatted:
>> I’ve heard a number of questions about Mozilla’s plans around DoH. 
>> We’ve made a number of public statements, but it might be useful to 
>> try to put this all in one place.
>> In context, the problem we are attempting to solve here is attack on 
>> the user’s name resolution from an attacker with full or partial 
>> control of the network, as contemplated by Section 3 of BCP 72 as well 
>> as BCP 188. There’s ample evidence of monitoring/manipulation of user 
>> traffic via this vector [0][1][2]. Importantly, this includes cases 
>> where the entity which owns the network infrastructure monitors and/or 
>> modifies DNS requests and responses without the user’s consent.
> But Mozilla doesn’t know whether the modification is with or without the user’s consent. As the various drafts that have been presented this week attempt to 
> make clear, there are a large number of use cases where users actively want the modification of their DNS (parental control, enterprise networks, 
> malware/phishing detection, botnet C&C communication disruption etc.), indeed they may even be paying for such a service.
That is a very valid assumption. And if they pay for the service they also expect that the service will work and does not break if they install a new client (browser/app/...) on their end systems. In most of the cases they even do not know were a functionality is implemented and they do not change default settings (which is fine, because "default" usually means that nothing will break). From my experience a new default disabling an existing feature (malware/phishing protection, DNS64, Load Balancing, ...) will lead to problems.