Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Eliot Lear <> Tue, 19 March 2019 18:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CF3C13151C; Tue, 19 Mar 2019 11:45:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f4ww3Jn7PmzI; Tue, 19 Mar 2019 11:45:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 96E4213150E; Tue, 19 Mar 2019 11:44:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=11405; q=dns/txt; s=iport; t=1553021099; x=1554230699; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=EcpDzdEj4cU8uRg/C4AzRt4KX85wmqcAaGQFVE3WNi4=; b=EJpJVlEv3WzteF14ZginoKH/paJFykjevIOIkEQ/kZt+pCPbADnnVPh+ J3o7Tb6LSjvJ20MhN9kaKpVB6ShlxqHj2fwyJJRx+WamjHTpN72rhx5/x NCJRr1FE/1RUBpaA5xRqgVG5BzuntwlBmbejz9OtLhL/DysAZTCfvGW6Y Y=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.60,245,1549929600"; d="asc'?scan'208,217";a="10783822"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Mar 2019 18:44:57 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id x2JIiup4016477 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Mar 2019 18:44:56 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_22B7570F-9E40-4A48-9C22-AEDFB6AAE3FA"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 19 Mar 2019 19:44:55 +0100
In-Reply-To: <>
Cc: Matthew Pounsett <>, Ted Hardie <>, DoH WG <>, Paul Vixie <>, dnsop <>
To: Christian Huitema <>
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <> <> <> <>
X-Mailer: Apple Mail (2.3445.102.3)
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Mar 2019 18:45:03 -0000

Hi Christian,

> On 19 Mar 2019, at 18:37, Christian Huitema <> wrote:
> On 3/19/2019 12:50 AM, Eliot Lear wrote:
>>> On 19 Mar 2019, at 01:50, Matthew Pounsett < <>> wrote:
>>> Somewhere up-thread it was suggested that there are other reasonable steps that a network/security operator can take to maintain the controls over resolution that we have today, but so far I haven't seen them enumerated anywhere.
>> I had stated that one can use an MDM to manage the endpoint’s use of DoH.  This doesn’t eliminate the possibility of malware, but does reduce misconfiguration in the enterprise, and provides for some protection against infection by blocking known bad names.
> Configuration works well for functions like "phishing protection": the device users in most cases want some form of protection, and then it is a matter of how this protection is configured. It does not work so well for functions like intrusion detection, such as figuring out whether a device is trying to contact a botnet C&C, because we cannot expect the infected device to be amenable to configuration.


> Third party DNS/DoH providers could probably block resolution of phishing names or  botnet C&C names using the same methods as enterprises do today, but the enterprise network will not be informed that one of its devices just tried to contact a botnet C&C. It would be very nice if the IETF standardized a way to do that.

I don’t see why they wouldn’t, and I could easily envision them being obliged to do so in the future.

>> In addition, there’s at least a heuristic for detection: compare data plane activity against ANSWERs.  If you’re seeing activity to addresses that don’t match (modulo some noise), you know an alternate resolver is active on that device.  And while it’s possible for malware to mimic queries to Do53 for Good sites versus what it really wants to access, you start tarnishing the rep of the IP address as and when you detect the problem through other means (AV s/w, honey pots, binary inspection, et al).  That leaves it with cloud providers to sort their wagons.
> Yes, one could imagine IP address or IP prefix reputation systems, similar to the IP address block lists used to protect against spam. This would work, and it would also provide intrusion detection signals when an infected device starts contacting a botnet. The problem of course is the gray line between "blocking phishing sites" and "blocking content that I disagree with". The various attempts to block the whole of Wikipedia in order to block some specific pages shows where this can lead.

In the enterprise this is not a problem.  In the consumer space, it is a big problem.  This goes back to the fundamental issue of whether or not the user has given meaningful consent and what happens when they do not.  We should be at least mindful of the game of Chicken being played here with governments.  Lessig’s Law is bounded by the fact that governments have a lot more guns than most of us do (with some notable and amusing exceptions).  The point of my message was not to go into this discussion, however, but to talk about what is possible, rather than what is necessarily desirable.

The sharing of threat intel is something that could be reasonably governed by contract in this scenario.  Think about that a bit.