Re: [Doh] Mozilla's plans re: DoH

[Neil Cook <neil.cook@noware.co.uk>]

> On 27 Mar 2019, at 09:24, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Now with the numbered lists correctly formatted:
> 
> I’ve heard a number of questions about Mozilla’s plans around
> DoH. We’ve made a number of public statements, but it might be useful
> to try to put this all in one place.
> 
> In context, the problem we are attempting to solve here is attack on
> the user’s name resolution from an attacker with full or partial
> control of the network, as contemplated by Section 3 of BCP 72 as well
> as BCP 188. There’s ample evidence of monitoring/manipulation of user
> traffic via this vector [0][1][2]. Importantly, this includes cases
> where the entity which owns the network infrastructure monitors and/or
> modifies DNS requests and responses without the user’s consent.
> 

But Mozilla doesn’t know whether the modification is with or without the user’s consent. As the various drafts that have been presented this week attempt to make clear, there are a large number of use cases where users actively want the modification of their DNS (parental control, enterprise networks, malware/phishing detection, botnet C&C communication disruption etc.), indeed they may even be paying for such a service.

So the Mozilla answer to possible DNS modification without user’s consent is to enable over-the-top DNS resolution for all users, using an opt-out model (how a normal user is supposed to understand what they’ve been opted into brings up all kinds of user consent issues itself), and sending all DNS requests to a third-party with whom the user almost certainly has no relationship, contractual or otherwise, and potentially located in a third-party country.

To summarise, in an attempt to deal with a possible (but essentially unknown) issue of user consent, Mozilla "would like to deploy it by default for our users.” 

All the above seems rich with irony and contradiction.

Neil