Re: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 12 March 2019 15:36 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262261310BA; Tue, 12 Mar 2019 08:36:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRQvqWQiLUqj; Tue, 12 Mar 2019 08:36:37 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFDD5130DF6; Tue, 12 Mar 2019 08:36:37 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 3CE9F280298; Tue, 12 Mar 2019 16:36:36 +0100 (CET)
Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 340CB280285; Tue, 12 Mar 2019 16:36:36 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 2F650663E720; Tue, 12 Mar 2019 16:36:36 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 1D1B640235; Tue, 12 Mar 2019 16:36:36 +0100 (CET)
Date: Tue, 12 Mar 2019 16:36:36 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: nalini elkins <nalini.elkins@e-dco.com>
Cc: Christian Huitema <huitema@huitema.net>, doh@ietf.org, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, dnsop@ietf.org, dns-privacy@ietf.org, "Ackermann, Michael" <mackermann@bcbsm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20190312153636.qdsdne24vmi4xdoe@nic.fr>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 9.8
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/V35DCVqz7ioFIXjkFHFGREmgtOU>
Subject: Re: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 15:36:39 -0000

On Mon, Mar 11, 2019 at 08:55:18AM +0530,
 nalini elkins <nalini.elkins@e-dco.com> wrote 
 a message of 202 lines which said:

> The questions that the Fortune 50 company architect asked were something
> like this:
> 
> 1. You mean that DNS could be resolved outside my enterprise?

I suggest to explain to this person that it was possible before, as
any malware author discovered.

> 2. So whoever that is that resolves my DNS sees the pattern and frequency
> of what sites my company goes to?

RFC 7626 :-)

> It would be good to also discuss how to warn enterprises that this
> is about to happen.  I wonder if an announcement via CERT or another
> group may be appropriate.

If people responsible for networks of Fortune 50 company don't know
that it is difficult to stop unwanted communication (except when you
control all the endpoints, or when you airgap your network), then it
is indeed a problem :-)