Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Jared Mauch <> Wed, 20 March 2019 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16D821310F9; Wed, 20 Mar 2019 13:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mo1v-31FneQ7; Wed, 20 Mar 2019 13:33:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 362671310DC; Wed, 20 Mar 2019 13:33:11 -0700 (PDT)
Received: from [IPv6:2607:fb90:7daf:af70:29fa:1a9f:2a8d:f180] (unknown [IPv6:2607:fb90:7daf:af70:29fa:1a9f:2a8d:f180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id A9FCB54099D; Wed, 20 Mar 2019 16:33:02 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Jared Mauch <>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <>
Date: Wed, 20 Mar 2019 16:33:01 -0400
Cc: Ted Hardie <>, dnsop <>, DoH WG <>, Paul Vixie <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <> <> <> <>
To: Matthew Pounsett <>
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 20:33:13 -0000

It’s also about DLP and other related topics. There is a deep well here we keep tiptoeing around. Some things are mitigated by enterprise certificates and others are far more tricky. 

Doing this with DNS helps with that defense in depth. Removing that layer of defense will increase risks on one side while decreasing them on the other. 

You also have a hard time telling employees why you have a MITM box and it reduces your talent pool. 

People here may not worry about it but the insurance carriers for the businesses do. 

Sent from my iCar

> On Mar 20, 2019, at 4:08 PM, Matthew Pounsett <> wrote:
> I can't afford to probe every IP address on the planet on a regular basis, and dynamically modify my blocking based on that.  It's far, far less expensive to just automatically MitM all web traffic on my network, even though that is far more expensive than what I have to do today.