Re: [Doh] [Ext] DOH bypassing protection mechanisms

Paul Hoffman <paul.hoffman@icann.org> Sun, 05 November 2017 19:31 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7875E13FCDC for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:31:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4FwGKjEYbQa for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:31:16 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CE913FCDB for <doh@ietf.org>; Sun, 5 Nov 2017 11:31:16 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 5 Nov 2017 11:31:14 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Sun, 5 Nov 2017 11:31:14 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Eliot Lear <lear@cisco.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] [Ext] DOH bypassing protection mechanisms
Thread-Index: AQHTVlNGGJz6sewrrE6MDSqtCTxTIaMGsr2A
Date: Sun, 5 Nov 2017 19:31:14 +0000
Message-ID: <CE272411-48EE-4614-BD86-ABD5BBE32089@icann.org>
References: <78BA4BE2-1475-4F36-B735-FF6EAF0B594B@vpnc.org> <459AFD25-B3FB-4FD2-A688-2380CB0AC6D3@icann.org> <76b12c4d-dbd5-d5bb-9c68-6b36b280f0ae@cisco.com>
In-Reply-To: <76b12c4d-dbd5-d5bb-9c68-6b36b280f0ae@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_8CC080E7-8D43-49D6-8747-FA2A6442A70F"; protocol="application/pgp-signature"; micalg=pgp-sha256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/EHyzrtYvkEHZyfyZ1dpwlY3_FVw>
Subject: Re: [Doh] [Ext] DOH bypassing protection mechanisms
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 19:31:17 -0000

On Nov 5, 2017, at 8:29 AM, Eliot Lear <lear@cisco.com> wrote:
> On 11/5/17 4:57 PM, Paul Hoffman wrote:
>> As to Eliot's main question: The policy to choose a DOH server is similar to the policy to choose a DNS resolver, it's just done in a different application. For the latter, the typical is "trust whatever DHCP tells you", but there are also commonly policies of "ignore DHCP, always use one of these". Both those policies could be mirrored in a browser for DOH.
>> 
> 
> That's the theory.  In reality, for the enterprise, you would be hard
> pressed to find examples in which the enterprise itself doesn't control
> where a query goes on a client (DHCP is not the only control function).

It sounds like the operational document might say something like "an enterprise that cares about which DNS resolver its users access needs to also make that policy in DOH-enabled web clients".

--Paul Hoffman