Re: [Doh] [Ext] DOH bypassing protection mechanisms

Adam Roach <adam@nostrum.com> Sun, 05 November 2017 19:49 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70FDF13FCDA for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28xggxanz-1B for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:49:10 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2CBC13FB72 for <doh@ietf.org>; Sun, 5 Nov 2017 11:49:10 -0800 (PST)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id vA5JmhkE062588 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 5 Nov 2017 13:48:45 -0600 (CST) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
To: Paul Hoffman <paul.hoffman@icann.org>, Eliot Lear <lear@cisco.com>
Cc: "doh@ietf.org" <doh@ietf.org>
References: <78BA4BE2-1475-4F36-B735-FF6EAF0B594B@vpnc.org> <459AFD25-B3FB-4FD2-A688-2380CB0AC6D3@icann.org> <76b12c4d-dbd5-d5bb-9c68-6b36b280f0ae@cisco.com> <CE272411-48EE-4614-BD86-ABD5BBE32089@icann.org>
From: Adam Roach <adam@nostrum.com>
Message-ID: <0208f6a7-f9a7-ade5-2eac-18de4d678116@nostrum.com>
Date: Sun, 5 Nov 2017 13:48:38 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CE272411-48EE-4614-BD86-ABD5BBE32089@icann.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/MCQdfjJELRhNJisqUrCse9R4KK0>
Subject: Re: [Doh] [Ext] DOH bypassing protection mechanisms
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 19:49:11 -0000

[as an individual]

On 11/5/17 1:31 PM, Paul Hoffman wrote:
> On Nov 5, 2017, at 8:29 AM, Eliot Lear <lear@cisco.com> wrote:
>> On 11/5/17 4:57 PM, Paul Hoffman wrote:
>>> As to Eliot's main question: The policy to choose a DOH server is similar to the policy to choose a DNS resolver, it's just done in a different application. For the latter, the typical is "trust whatever DHCP tells you", but there are also commonly policies of "ignore DHCP, always use one of these". Both those policies could be mirrored in a browser for DOH.
>>>
>> That's the theory.  In reality, for the enterprise, you would be hard
>> pressed to find examples in which the enterprise itself doesn't control
>> where a query goes on a client (DHCP is not the only control function).
> It sounds like the operational document might say something like "an enterprise that cares about which DNS resolver its users access needs to also make that policy in DOH-enabled web clients".

s/web clients/DNS clients/, right? I don't get the impression that the 
use cases are intended to be restricted to web browsers as clients.

/a