Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Adam Roach <> Tue, 19 March 2019 23:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1113F131192 for <>; Tue, 19 Mar 2019 16:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lNKk_leZdeid for <>; Tue, 19 Mar 2019 16:04:00 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D409A13118B for <>; Tue, 19 Mar 2019 16:04:00 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x2JN3wAS084958 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 19 Mar 2019 18:04:00 -0500 (CDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1553036640; bh=uWpH1tzlTSA6Tp0iXrsW7+cnQ2F3uPmCABb1VDyAb6M=; h=Subject:To:References:From:Date:In-Reply-To; b=P4aEDn6ffoRKFLqXKgJSHgV3qM9fDkuQF0a22tyK8Jx0fk9yMRQ9aZtB9+JPLOk3f El+3MCKFtm24H1i+rPJg/xx3b/PAcVL4NsGMo0vLxZ8rRPMHFlsm8tFtPS8c8+WKQh duIJuKu1e1NI27Hr+hwqvmae7E7HOyOdeEgRbH54=
X-Authentication-Warning: Host [] claimed to be
To: Martin Thomson <>,
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <> <> <> <>
From: Adam Roach <>
Message-ID: <>
Date: Tue, 19 Mar 2019 18:03:52 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Mar 2019 23:04:03 -0000

On 3/19/19 3:33 PM, Martin Thomson wrote:
> I agree with Ted.
> On Wed, Mar 20, 2019, at 04:46, Ted Hardie wrote:
>> My apologies if I have misunderstood your point
>> here, but unless you also block all traffic for which you have seen no
>> resolution event, I believe that it is entirely possible to circumvent
>> the defense you describe.
> The problem with blocking packets that can't be traced to a resolution event is that you need to catch all the resolution events. DNS doesn't have a monopoly on address resolution - I mean, that's the whole point of this discussion, isn't it?

It's also pretty trivial to defeat: if I were malware that used DoH to 
resolve "cnc.horriblebotnet.example" to, I could then do a 
Do53 query for 
"", which 
triggers a valid resolution response for the IP address I want to get to 
and lets my traffic through.

Sure, you can block the entire "" tree, but it's not the only 
resolver that acts like this. You'll be playing a long game of whack-a-mole.