Re: [Doh] [Ext] DOH bypassing protection mechanisms

Paul Hoffman <paul.hoffman@icann.org> Sun, 05 November 2017 19:58 UTC

From: Paul Hoffman <paul.hoffman@icann.org>
To: Adam Roach <adam@nostrum.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] [Ext] DOH bypassing protection mechanisms
Thread-Index: AQHTVlNGGJz6sewrrE6MDSqtCTxTIaMGsr2AgAAE3gCAAALRgA==
Date: Sun, 05 Nov 2017 19:58:44 +0000
Message-ID: <B3A9EF7A-A81A-4134-A79B-CE71343B6D0A@icann.org>
References: <78BA4BE2-1475-4F36-B735-FF6EAF0B594B@vpnc.org> <459AFD25-B3FB-4FD2-A688-2380CB0AC6D3@icann.org> <76b12c4d-dbd5-d5bb-9c68-6b36b280f0ae@cisco.com> <CE272411-48EE-4614-BD86-ABD5BBE32089@icann.org> <0208f6a7-f9a7-ade5-2eac-18de4d678116@nostrum.com>
In-Reply-To: <0208f6a7-f9a7-ade5-2eac-18de4d678116@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C7A2E48141CBAF44942DC219D9210977@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/MLPeZQWHHG8ofNv8s0cU-Ek-IkU>
Subject: Re: [Doh] [Ext] DOH bypassing protection mechanisms
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 19:58:48 -0000

On Nov 5, 2017, at 11:48 AM, Adam Roach <adam@nostrum.com> wrote:
> 
> [as an individual]
> 
> On 11/5/17 1:31 PM, Paul Hoffman wrote:
>> On Nov 5, 2017, at 8:29 AM, Eliot Lear <lear@cisco.com> wrote:
>>> On 11/5/17 4:57 PM, Paul Hoffman wrote:
>>>> As to Eliot's main question: The policy to choose a DOH server is similar to the policy to choose a DNS resolver, it's just done in a different application. For the latter, the typical is "trust whatever DHCP tells you", but there are also commonly policies of "ignore DHCP, always use one of these". Both those policies could be mirrored in a browser for DOH.
>>>> 
>>> That's the theory.  In reality, for the enterprise, you would be hard
>>> pressed to find examples in which the enterprise itself doesn't control
>>> where a query goes on a client (DHCP is not the only control function).
>> It sounds like the operational document might say something like "an enterprise that cares about which DNS resolver its users access needs to also make that policy in DOH-enabled web clients".
> 
> s/web clients/DNS clients/, right?

Maybe?

> I don't get the impression that the use cases are intended to be restricted to web browsers as clients.

They are not restricted to web clients (I was careful not to say "browsers"), but I don't expect current DNS clients to add DOH capabilities any time in the near future. We have had approximately zero success in getting stub resolvers deployed with DNS-over-TLS (RFC 7858), and getting them to do that would be easier than DNS-encoded-in-HTTP-over-TLS. DNS clients are a use case listed in Section 3 of the draft, but not one that we've heard much interest in.

--Paul Hoffman

[Doh] DOH bypassing protection mechanisms Paul Hoffman
Re: [Doh] [Ext] DOH bypassing protection mechanis… Paul Hoffman
Re: [Doh] [Ext] DOH bypassing protection mechanis… Eliot Lear
Re: [Doh] [Ext] DOH bypassing protection mechanis… Paul Hoffman
Re: [Doh] [Ext] DOH bypassing protection mechanis… Adam Roach
Re: [Doh] [Ext] DOH bypassing protection mechanis… Paul Hoffman
Re: [Doh] [Ext] DOH bypassing protection mechanis… Eliot Lear
Re: [Doh] [Ext] DOH bypassing protection mechanis… Adam Roach