Re: [Doh] DOH and split DNS

Mark Nottingham <> Mon, 06 November 2017 00:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 08DCC13FB05 for <>; Sun, 5 Nov 2017 16:13:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=bEhQADgI; dkim=pass (2048-bit key) header.b=UAuHW9Gy
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HGNYHh7Jg-w4 for <>; Sun, 5 Nov 2017 16:13:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 456FE13FBC5 for <>; Sun, 5 Nov 2017 16:13:24 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 6885A20AFF; Sun, 5 Nov 2017 19:13:23 -0500 (EST)
Received: from frontend2 ([]) by compute3.internal (MEProxy); Sun, 05 Nov 2017 19:13:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=yK52Hqc7pmnhECIGNwKe2yDaVp7Nw ADyzCOJt1hkBek=; b=bEhQADgIPgOswJBn5mtt2Gm87cDZN3duV5v1PaqA3RQPb T4bf2PTcr3urtgX9aEx9fxzLx44aROJ33KIy+FQrgdPYFVG9+ps87TTTsqNQNyv5 zOcEcPtSbIWoqgklbBI+66Kg/rMyYxj8ZNzxJeM4uiNFKSCTWpiWLPveXNqG0FPD LoHnEWMgKt49kPS7fnh+iMwlzjOnhfyPRRr1V2zO3gEcjUfUtuW8zMvt8Y/DuKmL Pm9iJsBr6sgW95GIndB5vUCGnCQtJRMw/40kCPCSkspoN4ouFgRtr6U3AlPafQvq 7oNGB6Us/p8EUcbB9nZg6cw0EeTW6d2GlwTSf0IAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=yK52Hq c7pmnhECIGNwKe2yDaVp7NwADyzCOJt1hkBek=; b=UAuHW9Gy1X9AIuRRVllQ6V oA2CqLxeHPR/8sfRZtVhXDGDzB7H9vQz0GRrujPJ4ouO5wqYfSuMU+1C6lK+Kglr EE8UHlYUF0RkuCn7uezZsEX3wPD5/B//EE3KDcILCVjp/knKgPzeRYerqRHS1Eu9 BWfrUrveXnJR0VAiK0OGsshlI8a/6qisVkLKGHqPMNl4ThpZybsnf4zBfMmxQzr7 IxIEOZ8XQdvFF7sJwdc4adMAM0msWnA0bmGPe3REurLf8zh6bjhLB6YdpEIqvJV3 rzB8weggJZTZDzR5i3TpIJdprxn/ZmPVh6G2Uk4XHxhrcFQjMqqZ2bV+smssoW+g ==
X-ME-Sender: <xms:I6n_WYvJYbOMOSCbHP-74bVxTv_9xhQIqeCSozz_mk1CfD4W9OMTJA>
Received: from frankexeofviews.lan ( []) by (Postfix) with ESMTPA id 590B1240B2; Sun, 5 Nov 2017 19:13:22 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.6\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Mon, 6 Nov 2017 11:13:19 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Paul Hoffman <>
X-Mailer: Apple Mail (2.3445.1.6)
Archived-At: <>
Subject: Re: [Doh] DOH and split DNS
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Nov 2017 00:13:27 -0000

If the user takes a positive step to configure a DOH server (e.g., in their browser), this is directly analogous to manually configuring an alternative DNS server -- except that the network can try to take active measures to block other DNS servers, and that's more difficult with DOH.

Regardless of that, once the user has done something to the configuration, it's reasonable to say that they've taken responsibility for the consequences of that action -- including the sudden disappearance of "internal" resources. Some careful wording around the configuration mechanism should help.

Allowing something like proxy.pac to override DOH doesn't make any sense, given that the primary purpose of DOH is to NOT allow the local network to impose policy on communication with the DNS server.


> On 6 Nov 2017, at 2:46 am, Paul Hoffman <> wrote:
> On 5 Nov 2017, at 0:30, Eliot Lear wrote:
>>  * Use of this mechanism can cause problems with split DNS, where the
>>    internal DNS is not the same as what is made available externally. 
>>    Many corporate networkers hide their internal topology from the
>>    external DNS.  If an end host queries an external DNS for an
>>    internal resource, the result would be NXDOMAIN.  To avoid this, at
>>    a minimum, the browser should have some configuration as to what is
>>    internal.  I conjecture that this would reflect what is commonly
>>    found in a proxy.pac file.
> _______________________________________________
> Doh mailing list

Mark Nottingham