Re: [Doh] operational issues with doh

tjw ietf <tjw.ietf@gmail.com> Sun, 05 November 2017 15:49 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C7513FB1D for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 07:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToAyHJq6JKt3 for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 07:48:58 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8B213FA91 for <doh@ietf.org>; Sun, 5 Nov 2017 07:48:57 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id y83so9662985wmc.4 for <doh@ietf.org>; Sun, 05 Nov 2017 07:48:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Fp5bIyZz2fxRu7thDD5aYRD8pBfcdkl/HBG1ts82X9E=; b=rjJgdHuN+8zKfWr5FVud42iF5WXbUn31yMbXIcTsKeQDbEQqK7cTIVHg65526nm0E+ QafydgXuApg1VrATR0aZ9ivOj4s7SAY3c531c78KYhBW30RGBDzvsFrECqnvxFy75mia wKmC8j/yERZ2JfS5vacdML/4GfWnyCtTA/WrdjkBQyAYRJinw38qWOLkpuRw4TjPSmkC btyawGZ52HwTjIlSsvMEpLIX45KEr9n7V5ChTULiKTU/h5ClcOZWqkMhOGCrfacVkt7W qMEbEczxP6pxYr65ttbvkUlgXwJwXeK9DJMOsiQIxTQ74dAoMo2ENnuXaH1l2XPbFrqy AZKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Fp5bIyZz2fxRu7thDD5aYRD8pBfcdkl/HBG1ts82X9E=; b=DwLJIRf8YK40UvTKL0ULIGw/S5tEmn/g1et23M4Ijvs4mm70L62zmUEXpNfohKCJ+9 bKiQXrNKRiGOdtj8+iCmHXbDdjosqsgy1/ZwYqmJM7DzYix/AH169ba/Ebeez8M2tOc0 OTBd+riemviz5k6FcLbIkWQWvy2r0gwsICKGTyx9FdZB6leN+ICAtdB3murZDhix47LF X1Z8eC4d7A1rgPo5c74d1Uz0/Eu67w+bXl1BrxSFmA7jKoR+az77srYknbci1spmrCdB 3rPHryd5Qka7URFyYSA2WZWK/5xhmLZWieKaxvz7XT61Be/190GaDsXAFQgoUmdgfO+D FH9Q==
X-Gm-Message-State: AJaThX6nBNK0R45XDFfYZFq9cRIK9PP09xuMICpBI1LcZERonu4ez/uy jNFfdHHzprNICRIijvvbdMxh/LIfboMd41CJLKLomw==
X-Google-Smtp-Source: ABhQp+R7cXCkIhv4bvLTVSJMSP4K2LRtTdIjElYZw3tbhWxajOIImlf88HASg/lfSCB2soi6zIMwwMZBDcQgDIvGiqY=
X-Received: by 10.28.100.212 with SMTP id y203mr3492270wmb.64.1509896936083; Sun, 05 Nov 2017 07:48:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.196.169 with HTTP; Sun, 5 Nov 2017 07:48:55 -0800 (PST)
In-Reply-To: <A0507661-1D71-4EF4-97F3-1C6188D3141A@vpnc.org>
References: <abe6593a-0bc9-9ed4-4ad4-c03093bcb490@cisco.com> <CAOdDvNoSONY2NkdzPYpSq=6sUWMo3Y3HJigWBWZpx9MDRcrr4Q@mail.gmail.com> <CADyWQ+H74a0ks3LTBgdYyCW2T98jDwGccKTEe6biOhA9SFrADg@mail.gmail.com> <CABkgnnWfrjf5tdP_dQSxfMR_2y53HfE6nmHvZMJKMRPhUsFUpQ@mail.gmail.com> <8f57526e-461d-2782-ae44-1087b3a4ed43@cisco.com> <A0507661-1D71-4EF4-97F3-1C6188D3141A@vpnc.org>
From: tjw ietf <tjw.ietf@gmail.com>
Date: Sun, 5 Nov 2017 10:48:55 -0500
Message-ID: <CADyWQ+EQ7NGfUGxoWARk8-kUKT1fGUHgnEyjac+9+mRmT7MhHg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: Eliot Lear <lear@cisco.com>, doh@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c0531c085d78e055d3e468a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Ml8p-LyvIJ9ai_pkiz5ZsdvinfE>
Subject: Re: [Doh] operational issues with doh
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2017 15:49:00 -0000

in the case of detect and prevent access to known malware-infested
sites, could;n't DoH deploy an RPZ like mechanism?

On Sun, Nov 5, 2017 at 10:45 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> In order to make the conversations easier to follow, I'm going to split
> these out into separate threads.
>
> --Paul Hoffman
>
> On 5 Nov 2017, at 0:30, Eliot Lear wrote:
>
> There are several:
>>
>>   * Use of this mechanism can cause problems with split DNS, where the
>>     internal DNS is not the same as what is made available externally.
>>     Many corporate networkers hide their internal topology from the
>>     external DNS.  If an end host queries an external DNS for an
>>     internal resource, the result would be NXDOMAIN.  To avoid this, at
>>     a minimum, the browser should have some configuration as to what is
>>     internal.  I conjecture that this would reflect what is commonly
>>     found in a proxy.pac file.
>>   * When an HTTP server offers this service for domains it is not
>>     responsible for, it has the potential to impact DNS-based load
>>     balancing by masking the IP address of the sender and substituting
>>     its own.  The remedy here is that any service offering DoH should
>>     sufficiently distributed as to minimize such an impact.
>>   * Use of DoH will bypass protection mechanisms commonly used to
>>     efficiently detect and prevent access to known malware-infested
>>     sites.  There are two mitigation mechanisms available, but one is
>>     incomplete:  deployments make use of in-path blocking methods such
>>     as IP access lists.  This is partial because there is a
>>     performance/memory impact in doing so, and the query itself can
>>     indicate that the device itself is infected.  The other mitigation
>>     here is to have a configuration mechanism to turn on/off DoH in
>>     order to use the existing infrastructure.  This has the least impact
>>     on surrounding infrastructure (and takes the least text ;-).
>>
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>