Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Olli Vanhoja <olli@zeit.co> Sun, 24 March 2019 23:19 UTC

Return-Path: <olli@zeit.co>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D5311201E7 for <doh@ietfa.amsl.com>; Sun, 24 Mar 2019 16:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zeit-co.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0SNF8g9t6Y8 for <doh@ietfa.amsl.com>; Sun, 24 Mar 2019 16:19:12 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C318D1201E5 for <doh@ietf.org>; Sun, 24 Mar 2019 16:19:11 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id t13so6165844lji.2 for <doh@ietf.org>; Sun, 24 Mar 2019 16:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zeit-co.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2UsgL5LxolIDwz9iTIPHJEHjSjIe04bciK9cJH1ESag=; b=1pDNzNJky+z0k77dMyZQlyJZggVcub8BdrfggeCrLPS2h/TC/65nmHW2QsRlRXFsM2 4l9Ps6dMATcy5qMCJAkQwrRHxRZl6H85OFTNvM+aUEfw2cJbh+7iqSBQcHbG00T0XFFK Hj4xAhu1K07s3+mnh1Ntgz+LEim2CeTGiaHn8UAn2LsWzS8MggKdfv8HyMZeEGCKRmx/ Ynrv3ifGYeXRGDBHTeg6sEqJbTP+GlaMIkH0l2TZeicq+885km8CPCivRaN4DIYSS3U3 35Y75t4WdQvh4hcOTzPuG6XLzBpZK5Imj72Fn56sx4u/3+1iCTfQGMJbBTa+VwaDqCRh NsQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2UsgL5LxolIDwz9iTIPHJEHjSjIe04bciK9cJH1ESag=; b=iXxG9Ci18pV88oXYHaCBteITUNaKF6pgOn1jY/sDAWUUA0sOX7g2WLy3o+8ey1VEQx NECsWh3SULU8opbFaK61bugx8tnSPe4kZaq81A86OIupyAEkIuOkB5Di1mAftipmybgU 1oisY7fu9KnLzfeA0cR99JOAOo/Kh4I7TzH48LOMWIAIOMec4GEYLf8zE5C3f9cGKfHZ saNtABjJVdRG4iTUtLaX1UjVB26keZjRi+M99fdZpeMDjkxxoGy0Lx28BN7jo1ZE74KN PVnI+Y3KwEVBWorpvKN0siMICKR6Tjf2OdoMOzdzQjTDOmGJ9MBm/Pymwovce7vLZhE3 SIRw==
X-Gm-Message-State: APjAAAV3do5DwZWRtjSEhyAd+RpmRUfojqRIAoIbJ+Z6X6UcviFXoX3v /LcO9Yf9QK5m1jjj3EqxmHw9kgCFtzcLfNltJX2t1Q==
X-Google-Smtp-Source: APXvYqxIL+OpS71EnM8t+TdXUYbiwwtfN9kOWW+v3RfVk8rsaQZFw37LT417AkEIzh39c4yRDRHOUy/SQk6xVY4jI4I=
X-Received: by 2002:a2e:1245:: with SMTP id t66mr11639254lje.18.1553469549841; Sun, 24 Mar 2019 16:19:09 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <128237212.13389.1553465639438@appsuite.open-xchange.com>
In-Reply-To: <128237212.13389.1553465639438@appsuite.open-xchange.com>
From: Olli Vanhoja <olli@zeit.co>
Date: Mon, 25 Mar 2019 00:18:58 +0100
Message-ID: <CABrJZ5Hskv1p5ju24gKQrW6odmG4EFmVFWk-xb09w2awp5tdnA@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Cc: Patrick McManus <mcmanus@ducksong.com>, dnsop <dnsop@ietf.org>, doh@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/8NIYzxAuSvnBSbuiuQHrI_UVa4g>
Subject: Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 23:19:13 -0000

On Sun, Mar 24, 2019 at 11:14 PM Vittorio Bertola
<vittorio.bertola=40open-xchange.com@dmarc.ietf.org> wrote:
>
> In today's "plain DNS" world, I choose a DNS resolver that provides that kind of filters for me, I set it up on my router, and my router pushes it to my smart TV via DHCP. What is the "existing configuration mechanism" that allows me to set this policy in the DoH world, i.e. if the TV came equipped with applications preconfigured to use their own remote resolver via DoH?
>
> As a minimum, I would have to open all the applications and configure them one by one to use my desired resolver, and repeat this for every device connected to my network - while in the current situation this is all automated after I configure the resolver once on my router. But applications like Firefox might completely refuse to use the resolver I want, advertised by my router on my behalf, because it does not support DoH, or it does but is not on their list of "trusted resolvers". And Javascript bits in the pages I visit might use DoH to pre-encoded servers without even offering me any configuration.
>

I think configuring every application, operating system, or platform
to do the filtering is the right way regardless of the existence of
DoH. I wouldn't trust that the opinion given by a DHCP server is what
will be really used by all clients. If you need to check that's what
is really happening, wouldn't it require about the same effort to
configure the parental control features that are already provided by
many vendors. I also believe that's a lot easier thing to do for the
average user.

If you really want a DIY solution, why don't you look into the actual
HTTP(S) traffic and SNIs?