Re: [Doh] New: draft-livingood-doh-implementation-risks-issues

"Ralf Weber" <> Sat, 09 March 2019 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CD95D1274A1 for <>; Sat, 9 Mar 2019 13:58:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F6f6JMmCiRLt for <>; Sat, 9 Mar 2019 13:57:59 -0800 (PST)
Received: from ( [IPv6:2a01:4f8:a0:322c::25:42]) by (Postfix) with ESMTP id D196A12705F for <>; Sat, 9 Mar 2019 13:57:58 -0800 (PST)
Received: by (Postfix, from userid 107) id A1D615F421F8; Sat, 9 Mar 2019 22:57:57 +0100 (CET)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 048625F402AB; Sat, 9 Mar 2019 22:57:55 +0100 (CET)
From: "Ralf Weber" <>
To: "Stephane Bortzmeyer" <>
Cc: "Livingood, Jason" <>, "DoH WG" <>
Date: Sat, 09 Mar 2019 22:57:53 +0100
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Doh] New: draft-livingood-doh-implementation-risks-issues
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Mar 2019 21:58:02 -0000


On 9 Mar 2019, at 19:28, Stephane Bortzmeyer wrote:
>> Network operators, ranging from ISPs to enterprises, schools, and
>> others work hard to provide outstanding DNS and network performance,
> Nice but clearly false. One of the reasons why many users switch to
> public DNS resolvers is because many local networks and ISP do a lousy
> job (specially in some parts of the world). Not to mention those who
> simply announce trough DHCP...
While it is true that there are ISPs that give you as a resolver
there are also a lot of ISPs that invest in their DNS service and offer
a service that (due to the network nature) is better than what a public
resolver can provide. So stating this as false also clearly is false.

It is as with in most service oriented business, you have good and you
have bad ones, to simplify does not work here.

>> In addition, most also provide DNS-based services such as opt-in
>> parental controls for consumers or malware/security protection in
>> enterprises, content filtering in schools, etc.
> "most"? I doubt it. Source?
It depends on the region, but e.g in the UK all of the big providers
offer such a service. Also working for a company (Nominum now part of
Akamai) that builds software for such DNS based service I can tell you
that we sold the software around the world and we are not the only
company in that space.

>> The Dyn attack provides a vivid illustration of how DNS
>> infrastructure vulnerabilities - and DNS space concentration - can
>> wreak havoc on the stability of the Internet."
> Is it really relevant, since it was an attack on authoritative DNS
> servers? Having lot of local resolvers would not have changed its
> consequences.
Well given that as a result of it a lot of work has been done to use
resolvers to protect against such a authoritative outage, e.g
so the it certainly is relevant for the next attack.

>> DNS blocklists, which are one of the primary and most effective ways
>> to protect a network and its users against malware, phishing, spam,
>> DDoS attacks, etc.
> Can you explain how a blocklist on the DNS resolver protects against
> spam and dDoS?
Easy. Spam is often send by bots. DNS resolvers that e.g block or
redirect MX lookups or stop the communication of the bots with its
masters by blocking the C&C domain.

I have seen networks coming of spam list just by deploying these

>> Disruption of Legally-Mandated National-Level DNS Blocks
> It think it is a feature of DoH, not a bug. In Europe, for instance,
> many users switch to public DNS resolvers precisely to be able to
> bypass the lying resolver.
Well again not sure how you quantify many, but those users and even
more so these public resolver service providers, who usually also
do business in these countries, are breaking the law. I never
understood why this has no consequences for them, while when I
worked at a European multi national ISP we had to deliver the
mandated blocks per country of the user and not of the server
for the any cast network we had, which often served users out
of country.

>> This document makes the following recommendations
> The most important is missing: help developers to create DoH servers
> that can be easily installed and managed so, instead of a few DoH
> providers, we can have many of them. (Currently, there is no easy way
> to download and install a DoH server.)
There is some server or proxy software out there already, and I know
there are others working on it. But to deploy it you need money and
a business case, and I can not find a primary business case to run
a DoH server. There are secondary business cases like deliver fast
Internet for the ISPs or gather more user data for Ad networks or
better map users for CDNs. Bur the relative cost to different
players is different, as for examples ISP would have to scale up
siginpificantly from there current DNS service to deliver DoH,
while for ad networks or CDNs the additional cost for the DNS
service is low.

I think the only way to get lots of DoH providers is to help the
ISPs to do it as they are the natural decentralised player on the

So long
Ralf Weber