Re: [Doh] operational issues with doh

tjw ietf <> Sun, 05 November 2017 15:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 39C7513FB1D for <>; Sun, 5 Nov 2017 07:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ToAyHJq6JKt3 for <>; Sun, 5 Nov 2017 07:48:58 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF8B213FA91 for <>; Sun, 5 Nov 2017 07:48:57 -0800 (PST)
Received: by with SMTP id y83so9662985wmc.4 for <>; Sun, 05 Nov 2017 07:48:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Fp5bIyZz2fxRu7thDD5aYRD8pBfcdkl/HBG1ts82X9E=; b=rjJgdHuN+8zKfWr5FVud42iF5WXbUn31yMbXIcTsKeQDbEQqK7cTIVHg65526nm0E+ QafydgXuApg1VrATR0aZ9ivOj4s7SAY3c531c78KYhBW30RGBDzvsFrECqnvxFy75mia wKmC8j/yERZ2JfS5vacdML/4GfWnyCtTA/WrdjkBQyAYRJinw38qWOLkpuRw4TjPSmkC btyawGZ52HwTjIlSsvMEpLIX45KEr9n7V5ChTULiKTU/h5ClcOZWqkMhOGCrfacVkt7W qMEbEczxP6pxYr65ttbvkUlgXwJwXeK9DJMOsiQIxTQ74dAoMo2ENnuXaH1l2XPbFrqy AZKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Fp5bIyZz2fxRu7thDD5aYRD8pBfcdkl/HBG1ts82X9E=; b=DwLJIRf8YK40UvTKL0ULIGw/S5tEmn/g1et23M4Ijvs4mm70L62zmUEXpNfohKCJ+9 bKiQXrNKRiGOdtj8+iCmHXbDdjosqsgy1/ZwYqmJM7DzYix/AH169ba/Ebeez8M2tOc0 OTBd+riemviz5k6FcLbIkWQWvy2r0gwsICKGTyx9FdZB6leN+ICAtdB3murZDhix47LF X1Z8eC4d7A1rgPo5c74d1Uz0/Eu67w+bXl1BrxSFmA7jKoR+az77srYknbci1spmrCdB 3rPHryd5Qka7URFyYSA2WZWK/5xhmLZWieKaxvz7XT61Be/190GaDsXAFQgoUmdgfO+D FH9Q==
X-Gm-Message-State: AJaThX6nBNK0R45XDFfYZFq9cRIK9PP09xuMICpBI1LcZERonu4ez/uy jNFfdHHzprNICRIijvvbdMxh/LIfboMd41CJLKLomw==
X-Google-Smtp-Source: ABhQp+R7cXCkIhv4bvLTVSJMSP4K2LRtTdIjElYZw3tbhWxajOIImlf88HASg/lfSCB2soi6zIMwwMZBDcQgDIvGiqY=
X-Received: by with SMTP id y203mr3492270wmb.64.1509896936083; Sun, 05 Nov 2017 07:48:56 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 5 Nov 2017 07:48:55 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <>
From: tjw ietf <>
Date: Sun, 5 Nov 2017 10:48:55 -0500
Message-ID: <>
To: Paul Hoffman <>
Cc: Eliot Lear <>,
Content-Type: multipart/alternative; boundary="94eb2c0531c085d78e055d3e468a"
Archived-At: <>
Subject: Re: [Doh] operational issues with doh
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Nov 2017 15:49:00 -0000

in the case of detect and prevent access to known malware-infested
sites, could;n't DoH deploy an RPZ like mechanism?

On Sun, Nov 5, 2017 at 10:45 AM, Paul Hoffman <> wrote:

> In order to make the conversations easier to follow, I'm going to split
> these out into separate threads.
> --Paul Hoffman
> On 5 Nov 2017, at 0:30, Eliot Lear wrote:
> There are several:
>>   * Use of this mechanism can cause problems with split DNS, where the
>>     internal DNS is not the same as what is made available externally.
>>     Many corporate networkers hide their internal topology from the
>>     external DNS.  If an end host queries an external DNS for an
>>     internal resource, the result would be NXDOMAIN.  To avoid this, at
>>     a minimum, the browser should have some configuration as to what is
>>     internal.  I conjecture that this would reflect what is commonly
>>     found in a proxy.pac file.
>>   * When an HTTP server offers this service for domains it is not
>>     responsible for, it has the potential to impact DNS-based load
>>     balancing by masking the IP address of the sender and substituting
>>     its own.  The remedy here is that any service offering DoH should
>>     sufficiently distributed as to minimize such an impact.
>>   * Use of DoH will bypass protection mechanisms commonly used to
>>     efficiently detect and prevent access to known malware-infested
>>     sites.  There are two mitigation mechanisms available, but one is
>>     incomplete:  deployments make use of in-path blocking methods such
>>     as IP access lists.  This is partial because there is a
>>     performance/memory impact in doing so, and the query itself can
>>     indicate that the device itself is infected.  The other mitigation
>>     here is to have a configuration mechanism to turn on/off DoH in
>>     order to use the existing infrastructure.  This has the least impact
>>     on surrounding infrastructure (and takes the least text ;-).
> _______________________________________________
> Doh mailing list