Re: [Doh] panel discussion on DoH/DoC

Shane Kerr <> Fri, 08 February 2019 08:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 338F91288BD for <>; Fri, 8 Feb 2019 00:26:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RCjjs8wNjvxf for <>; Fri, 8 Feb 2019 00:26:22 -0800 (PST)
Received: from ( [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24E841286D8 for <>; Fri, 8 Feb 2019 00:26:21 -0800 (PST)
Received: from [2001:470:78c8:2:65fc:c318:cd2d:2bb1] by with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1gs1VV-0000DC-JY for; Fri, 08 Feb 2019 08:27:33 +0000
References: <> <> <> <> <> <> <> <> <>
From: Shane Kerr <>
Message-ID: <>
Date: Fri, 08 Feb 2019 09:26:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Doh] panel discussion on DoH/DoC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Feb 2019 08:26:24 -0000


On 07/02/2019 16.33, Joseph Lorenzo Hall wrote:
> 3\. Software like browsers seem to want to have a list of DOH providers 
> that they can shuffle queries across in order to minimize the raw 
> quantity of queries any given DOH service sees from a given user. Right 
> now the big DOH services all have very very different privacy policies 
> and terms of service making such a list impossible as you'd be comparing 
> apples to oranges (e.g., one second you are talking to CF's 
> which a very strong privacy policy and the next minute you are talking 
> to Google's which has a much less strong privacy policy). How 
> should application developers decide which kind of DOH service to build 
> into their offerings? (My own organization, CDT, is going to start an 
> effort in a few months to try and bring DOH providers together to set 
> some baseline "rules of the road" for these kinds of services and we'd 
> love to work with others thinking about the "wild west" of DOH.)
> ----
> I'm about to go on leave for a bit (18-Feb up to Prague) but would love 
> to help think through what might make sense here. We did a project last 
> year with VPN providers where we sought to clarify some "rules of the 
> road", so to speak, and ended up basically with a standard questionnaire 
> that providers answered ( , 
> ).

My feeling is that we should avoid any design or recommendations 
involving multiple upstreams.

My reasoning is that I think that trying to direct queries to multiple 
resolvers is going to run the risk of leaking more information than 
protecting it more.

Certainly a naive approach of just sending to a random server won't 
work, as that basically insures that every resolver operator will see 
every user action pretty quickly.

Trying to isolate to specific user actions might make sense - for 
example send all the queries based on visiting a give web site to a 
single resolver operator. That involves some knowledge about what a 
session or other meaningful grouping of privacy is.

Really I tend to think that in the end we'll re-visit the same problems 
that Tor and other obfuscating overlay networks have tried to address, 
and likely end up with similar solutions. I don't think the DNS 
community understands enough about this to start designing protocols at 
the IETF today. Maybe the web community does, as they are (usually) 
closer to the end user?