Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

"Ralf Weber" <dns@fl1ger.de> Tue, 12 March 2019 16:10 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B89130F4F; Tue, 12 Mar 2019 09:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.4
X-Spam-Level:
X-Spam-Status: No, score=-0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AxD-S5pwlG5; Tue, 12 Mar 2019 09:10:46 -0700 (PDT)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 39554130FC7; Tue, 12 Mar 2019 09:10:46 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 98D3D5F40512; Tue, 12 Mar 2019 17:10:44 +0100 (CET)
Received: from [172.19.248.24] (unknown [104.153.224.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 81CC55F402C2; Tue, 12 Mar 2019 17:10:22 +0100 (CET)
From: "Ralf Weber" <dns@fl1ger.de>
To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr>
Cc: "Neil Cook" <neil.cook@noware.co.uk>, doh@ietf.org, dnsop@ietf.org, "Ackermann, Michael" <mackermann@bcbsm.com>, "Christian Huitema" <huitema@huitema.net>, "nalini elkins" <nalini.elkins@e-dco.com>, dns-privacy@ietf.org, "Vittorio Bertola" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Date: Tue, 12 Mar 2019 17:10:14 +0100
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <4DFF5687-7C5C-4B36-85CE-B58325F0B8D7@fl1ger.de>
In-Reply-To: <20190312160141.ibnjtdt5myntwiwk@nic.fr>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <20190312153636.qdsdne24vmi4xdoe@nic.fr> <50BAF399-B95D-438B-B3FC-05A0159439E2@noware.co.uk> <20190312160141.ibnjtdt5myntwiwk@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/KnOKtLwCu5m41q7cSjxkmmkN7_M>
X-Mailman-Approved-At: Tue, 12 Mar 2019 11:36:43 -0700
Subject: Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 16:10:49 -0000

Moin!

On 12 Mar 2019, at 17:01, Stephane Bortzmeyer wrote:

> On Tue, Mar 12, 2019 at 04:55:11PM +0100,
>  Neil Cook <neil.cook@noware.co.uk> wrote
>  a message of 22 lines which said:
>
>> Actually many enterprises (particularly banks etc.) do not allow DNS 
>> resolution directly from employee endpoints.
>
> They block UDP/53, which is not the same thing.
Well the DNS protocol has been defined on UDP and TCP port 53, so if you 
block this, you block DNS. If you add TCP/853 into the mix you block DNS 
over TLS, all of which is relative easy for an enterprise to do.

> Malware or
> non-cooperating applications can do name resolution by other means. I
> still do not understand why people have a problem with DoH whch did
> not already exist before with
> my-own-name-resolution-protocol-over-HTTPS.
A malware doing something specific to it is different than an IETF 
standard and application providers taking this standard (DoH) to switch 
a basic internet function (name lookups) without the users consent which 
are due to using HTTPs/443 harder to block for enterprises. It is a 
pretty clear difference.

So long
-Ralf
—--
Ralf Weber