IETF Logo Mail Archive

Re: [Doh] New Privacy Considerations Section Proposal

Howard Chu <hyc@symas.com> Thu, 21 June 2018 12:10 UTC

Return-Path: <hyc@symas.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5A312D7F8 for <doh@ietfa.amsl.com>; Thu, 21 Jun 2018 05:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQbUBByCpqtH for <doh@ietfa.amsl.com>; Thu, 21 Jun 2018 05:10:25 -0700 (PDT)
Received: from zmcc-5-mx.zmailcloud.com (zmcc-5-mx.zmailcloud.com [52.201.171.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 204951277D2 for <doh@ietf.org>; Thu, 21 Jun 2018 05:10:25 -0700 (PDT)
Received: from zmcc-5-mta-1.zmailcloud.com (zmcc-5-mta-1.zmailcloud.com [104.197.37.127]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by zmcc-5-mx.zmailcloud.com (Postfix) with ESMTPS id 8066E4056E; Thu, 21 Jun 2018 07:19:23 -0500 (CDT)
Received: from zmcc-5-mta-1.zmailcloud.com (localhost [127.0.0.1]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTPS id 2FA72C0978; Thu, 21 Jun 2018 07:10:24 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTP id 2300AC08F0; Thu, 21 Jun 2018 07:10:24 -0500 (CDT)
X-Virus-Scanned: amavisd-new at zmcc-5-mta-1.zmailcloud.com
Received: from zmcc-5-mta-1.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-5-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gwnL0nvPH2mf; Thu, 21 Jun 2018 07:10:24 -0500 (CDT)
Received: from [192.168.1.204] (unknown [83.136.45.97]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTPSA id 84DDDC03C7; Thu, 21 Jun 2018 07:10:23 -0500 (CDT)
From: Howard Chu <hyc@symas.com>
To: Daniel Stenberg <daniel@haxx.se>
Cc: DoH WG <doh@ietf.org>
References: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com> <CA+9kkMDt03Uv6UvtZw=mvo=+6dprGqUDMkC7Ef6bd=kb6vX_Fg@mail.gmail.com> <CAOdDvNrjZu-q63DUhNjf7fYjNux2ewv4DTZkGPvFRrGfBBJFMA@mail.gmail.com> <c67dc5cb-f6a5-4352-da59-71c4bb9ff98b@nostrum.com> <fc01b1ca-c0ca-88af-abf4-5fcfc1d954a3@symas.com> <alpine.DEB.2.20.1806211324270.21233@tvnag.unkk.fr> <afde0564-f2bd-f793-9b7e-1102333ea0fe@symas.com>
Message-ID: <edca3cc0-4493-0bc6-3787-d3d07d2c32e2@symas.com>
Date: Thu, 21 Jun 2018 13:10:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53a1
MIME-Version: 1.0
In-Reply-To: <afde0564-f2bd-f793-9b7e-1102333ea0fe@symas.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/UJLewlQYCViTtRqQPHmYnVs40dM>
Subject: Re: [Doh] New Privacy Considerations Section Proposal
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 12:10:27 -0000

Howard Chu wrote:
> Daniel Stenberg wrote:
>> On Thu, 21 Jun 2018, Howard Chu wrote:
>>
>>> that particular DNS/DoH server is unlikely to be serving any interesting 
>>> web pages for any clients. As such, the frequency of intermingled 
>>> connections should be low-to-zero.
>>
>> That's a rather pessimistic view of the DoH future.
> 
> It's a realistic view of devices coming preconfigured to use e.g. Google's DNS 
> servers.
> 
>> I think it is likely that some DoH server operators will be companies with 
>> distributed presence so that they can offer proximity to users; CDNs and the 
>> likes. CDNs also host web sites. They should thus be perfect candidates for 
>> serving both web content and DoH requests over the same connections. 
>> Especially in combination with the ORIGIN frame etc.
> 
> Those companies may indeed arise, but the vast majority of users will never 
> change their default DNS settings to point to them.

An additional point - it's been easy enough to launch DDoS attacks against 
dedicated DNS infrastructure in the past. If you combine DNS traffic and real 
HTTP traffic in the same server, it will become even easier to overload these 
servers and knock out DNS service.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

v2.23.0 | Report a Bug | By Email