Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
Ted Hardie <ted.ietf@gmail.com> Tue, 19 March 2019 17:45 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DC91315DB; Tue, 19 Mar 2019 10:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrX9LzcYgADG; Tue, 19 Mar 2019 10:45:28 -0700 (PDT)
Received: from mail-it1-x12c.google.com (mail-it1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051971315D0; Tue, 19 Mar 2019 10:45:28 -0700 (PDT)
Received: by mail-it1-x12c.google.com with SMTP id m137so11754743ita.0; Tue, 19 Mar 2019 10:45:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zFLyusuK8RGhYEpisbgBBgmwYJWs+rwU0GHifuGc3eE=; b=OUGBtnSDFE3YwsemBaJ5bRHfq5sYrKpiPDWFVBtHOmzM27i5knYIknReMBkP1EkJUV Iypap6SuA/HfOC0ZiYhcUN9pBtdua3XM4cC1JccmPkkKfo+bf2B6CB4Oa9lpf1HY3rf7 o8VcLpvJNhh4CsALX6LiTM4KUpImJnB80NLtamRIoxfGZb713t/mJWuNv75Kv18NiHbK VqHyMaU9dzGtV4uMxEzrsWX4C049tDY6j6WO4d3DpT22m/gtCW8CetQa9+YwlVMMPs4M gQXnMK/mVAc9MyKNktCAkK1vpnYiTUr3cdAFHd9rxOU/803/RADCsadVkQfarajJnWzl Ph0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zFLyusuK8RGhYEpisbgBBgmwYJWs+rwU0GHifuGc3eE=; b=B6zCb8dluOfqWJmYKmfC2LYLUQr4sTBi+BfC08YLuRvBi1XA6q5xLdI4IwWwnf8PXj Sagx/WjN9DLMqp+iGrJQouyR8NMiU7Qb7aAP8nbg1rKJcPUFnJGtDRuYQb/7v8ZWbjnO /3aLw5QcEIKVLrhOOes3w44JVpz/VOLa8dleLXQ/VWnoToKC8wYlxdMPXAtMzqeM6is4 /qM5tcLfWk1HKhmOQos3QlmizcHUY3uUHLPcD6dTwfH2Ic1GVrqiI2eag+bwCOWwflQW 6gO9qQy0hxpLd+i/rSbSGL44OcziCGKti269C6otmYhP4j+psbFVc5SDDvIqVXkQjca4 HllA==
X-Gm-Message-State: APjAAAU9XC8OtGoi877lZ/vddpiIn5JnuqQUK1Ru038Seh33RBztaU4K hApiYkcJyuxL57OsTf4HabZx1MGCVo3IGyvXwBf+3lOR
X-Google-Smtp-Source: APXvYqzjakB5rQTbdwpN6g3gYHWSAwFqWhGnZg5Xp/Ict2LksDTzlgqtIUMFKkeJF4x2TutA3t9zZBmCm20cseEUFiQ=
X-Received: by 2002:a24:6bcd:: with SMTP id v196mr394576itc.96.1553017527152; Tue, 19 Mar 2019 10:45:27 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com>
In-Reply-To: <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Tue, 19 Mar 2019 10:44:59 -0700
Message-ID: <CA+9kkMBXgPHmLRV44Qen_xm1G+Xerb5WJ0JvL11U3XayVgTHfA@mail.gmail.com>
To: Matthew Pounsett <matt@conundrum.com>
Cc: Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000933ad0584761287"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/3ktH4MQN7sca3XHYdvuALsWE-VE>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 17:45:31 -0000
Hi Matt, Comments in-line. On Mon, Mar 18, 2019 at 5:50 PM Matthew Pounsett <matt@conundrum.com> wrote: > > > On Fri, 15 Mar 2019 at 14:37, Ted Hardie <ted.ietf@gmail.com> wrote: > >> >>> The past five years have not been the IETF seeking to become a king or >> king-maker. They have been spent responding to an attack while still >> building out the facilities of the network. I am glad to find you a ready >> participant now, as there is still work to be done. But I do not believe >> we have said that you may not have these facilities; the new methods simply >> mean you must have a relationship with the users and devices on your >> network sufficient to effect configuration to use them. An on-path >> adversary does not, but you do. Yes, that adds a step and some complexity, >> but dealing with a new class of attack was never likely to be free. >> > > This, again, conflates users with attackers. > > I'm going to take a stab at restating the positions of several people in > this thread, Paul included, because it really seems like the argument is > not understood. > > I have a relationship with my users and I can control the configuration of > their *known* applications. I do not have a relationship with the malware > author that is trying to steal their data, and cannot control the > configuration of that (unknown) application. By running DoT on my borders > and blocking all other DNS and DoT traffic, I can provide privacy for my > users while still preventing malware from doing its thing. > As I said to Paul, I don't think you can if your only defense is blocking DNS access. Coding a system to use a non-standard resolution protocol over TLS is relatively easy; all the malware needs is a specific target to start at. That target can be hard coded, derived from the output of a web search, or produced by the output of an algorithm resident in the malware and some system-available data (commonly the time). My apologies if I have misunderstood your point here, but unless you also block all traffic for which you have seen no resolution event, I believe that it is entirely possible to circumvent the defense you describe. > With DoH available at endpoints that my users want to reach using some > other application, > And this is the critique that is not of DoH as a protocol, but of a specific deployment possibility. You've seen the Quad9 folks point and the Chrome statement of their current deployment plans. The first said they will not deploy DNS resources and other web resources on commingled hosts. The second said that they will only use DoH after a probe reveals that it is available *at the already configured DNS service*. This is entirely in line with Section 3 of RFC 8484: A DoH client MUST NOT use a different URI simply because it was discovered outside of the client's configuration (such as through HTTP/2 server push) or because a server offers an unsolicited response that appears to be a valid answer to a DNS query. This specification does not extend DNS resolution privileges to URIs that are not recognized by the DoH client as configured URIs. Browsers do not have an incentive to permit random websites to poison their caches, so I strongly suspect that there will be no ability to pass a resolution done in JavaScript down into the browser cache; my experience during RTCWeb was that the browsers treated all downloaded JavaScript applications as potentially malign. > it is orders of magnitude more complex for me to block the malware while > still allowing my users to reach those endpoints. Phrased another way, a > DoH endpoint at the same IP address as a popular website gives malware the > ability to resolve names I was previously able to prevent. > In the RFC 8484 terms, this is a DoH server. For this threat to be real, there is an additional requirement: the DoH server at the popular website must also be trusted by the application as a source of DNS data. For the ones you configure, this remains in your control. For JavaScript applications within browsers, see above. So this is probably the case only for pure malware, which already has other circumventions available. > The only recourse I know of, if DoH is adopted, is to proxy all traffic > toward that example site (including requiring me to engage in a MitM > decryption attack on my users' web traffic) in order to continue to prevent > that malware from circumventing network security. And because I can't > predict which web sites will launch their own DoH endpoints, that means I > need to proxy (and decrypt) all web traffic in order to maintain the same > level of security I can today. > > Note that popular Web servers commingling DoH services should answer a DNS query probe, so you will be able to tell readily if any of them choose to do it. And, of course, you could respond by blocking the service rather than with MitM; I suspect some would. regards, Ted > Somewhere up-thread it was suggested that there are other reasonable steps > that a network/security operator can take to maintain the controls over > resolution that we have today, but so far I haven't seen them enumerated > anywhere. > > >
- [Doh] New I-D: draft-reid-doh-operator Jim Reid
- Re: [Doh] New I-D: draft-reid-doh-operator Warren Kumari
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [Doh] New I-D: draft-reid-doh-operator Jim Reid
- Re: [Doh] New I-D: draft-reid-doh-operator Ask Bjørn Hansen
- Re: [Doh] New I-D: draft-reid-doh-operator Livingood, Jason
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [Doh] New I-D: draft-reid-doh-operator Warren Kumari
- Re: [Doh] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [Doh] New I-D: draft-reid-doh-operator Jim Reid
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- [Doh] GDPR and IETF protocols (Was: New I-D: draf… Stephane Bortzmeyer
- Re: [Doh] New I-D: draft-reid-doh-operator Stephane Bortzmeyer
- Re: [Doh] GDPR and IETF protocols Jim Reid
- Re: [Doh] New I-D: draft-reid-doh-operator Livingood, Jason
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Michael Sinatra
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Raymond Burkholder
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Raymond Burkholder
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Winfield, Alister
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ralf Weber
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Lemon
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Christian Huitema
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Ted Hardie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Martin Thomson
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Winfield, Alister
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eric Rescorla
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Adam Roach
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Christian Huitema
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator nalini elkins
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Joe Abley
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Adam Roach
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator 神明達哉
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jacques Latour
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Brian Dickson
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jim Reid
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Wes Hardaker
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Christian Huitema
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Vittorio Bertola
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eric Rescorla
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Winfield, Alister
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator sthaug
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Joe Abley
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Winfield, Alister
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Joe Abley
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Eliot Lear
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Bill Woodcock
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Livingood, Jason
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Joe Abley
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Stephen Farrell
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Puneet Sood
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Richard Bennett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Wes Hardaker
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Jared Mauch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Matthew Pounsett
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Paul Vixie
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Patrick McManus
- Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-r… Patrick McManus
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Vittorio Bertola
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Paul Wouters
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Olli Vanhoja
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Daniel Stenberg
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Mark Andrews
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Ian Swett
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… sthaug
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Valentin Gosu
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Eliot Lear
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Martin Thomson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Stephen Farrell
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Eliot Lear
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Patrick McManus
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Brian Dickson
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Eliot Lear
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator Puneet Sood
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Tony Finch
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Ted Lemon
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Petr Špaček
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… tirumal reddy
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… Paul Vixie
- Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-r… tirumal reddy