Re: [Doh] [Ext] DOH bypassing protection mechanisms

Paul Hoffman <paul.hoffman@icann.org> Sun, 05 November 2017 19:58 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A422713FCE5 for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:58:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgRUS_C1Qyh1 for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 11:58:46 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 809B713FB72 for <doh@ietf.org>; Sun, 5 Nov 2017 11:58:46 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 5 Nov 2017 11:58:44 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Sun, 5 Nov 2017 11:58:44 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Adam Roach <adam@nostrum.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] [Ext] DOH bypassing protection mechanisms
Thread-Index: AQHTVlNGGJz6sewrrE6MDSqtCTxTIaMGsr2AgAAE3gCAAALRgA==
Date: Sun, 5 Nov 2017 19:58:44 +0000
Message-ID: <B3A9EF7A-A81A-4134-A79B-CE71343B6D0A@icann.org>
References: <78BA4BE2-1475-4F36-B735-FF6EAF0B594B@vpnc.org> <459AFD25-B3FB-4FD2-A688-2380CB0AC6D3@icann.org> <76b12c4d-dbd5-d5bb-9c68-6b36b280f0ae@cisco.com> <CE272411-48EE-4614-BD86-ABD5BBE32089@icann.org> <0208f6a7-f9a7-ade5-2eac-18de4d678116@nostrum.com>
In-Reply-To: <0208f6a7-f9a7-ade5-2eac-18de4d678116@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C7A2E48141CBAF44942DC219D9210977@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/MLPeZQWHHG8ofNv8s0cU-Ek-IkU>
Subject: Re: [Doh] [Ext] DOH bypassing protection mechanisms
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 19:58:48 -0000

On Nov 5, 2017, at 11:48 AM, Adam Roach <adam@nostrum.com> wrote:
> 
> [as an individual]
> 
> On 11/5/17 1:31 PM, Paul Hoffman wrote:
>> On Nov 5, 2017, at 8:29 AM, Eliot Lear <lear@cisco.com> wrote:
>>> On 11/5/17 4:57 PM, Paul Hoffman wrote:
>>>> As to Eliot's main question: The policy to choose a DOH server is similar to the policy to choose a DNS resolver, it's just done in a different application. For the latter, the typical is "trust whatever DHCP tells you", but there are also commonly policies of "ignore DHCP, always use one of these". Both those policies could be mirrored in a browser for DOH.
>>>> 
>>> That's the theory.  In reality, for the enterprise, you would be hard
>>> pressed to find examples in which the enterprise itself doesn't control
>>> where a query goes on a client (DHCP is not the only control function).
>> It sounds like the operational document might say something like "an enterprise that cares about which DNS resolver its users access needs to also make that policy in DOH-enabled web clients".
> 
> s/web clients/DNS clients/, right?

Maybe?

> I don't get the impression that the use cases are intended to be restricted to web browsers as clients.

They are not restricted to web clients (I was careful not to say "browsers"), but I don't expect current DNS clients to add DOH capabilities any time in the near future. We have had approximately zero success in getting stub resolvers deployed with DNS-over-TLS (RFC 7858), and getting them to do that would be easier than DNS-encoded-in-HTTP-over-TLS. DNS clients are a use case listed in Section 3 of the draft, but not one that we've heard much interest in.

--Paul Hoffman