Re: [Doh] New: draft-livingood-doh-implementation-risks-issues

Stephane Bortzmeyer <> Sun, 10 March 2019 07:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD25B1274D0 for <>; Sat, 9 Mar 2019 23:36:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rihkxsVYSVSd for <>; Sat, 9 Mar 2019 23:36:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9003C126DFA for <>; Sat, 9 Mar 2019 23:36:55 -0800 (PST)
Received: by (Postfix, from userid 10) id D2B49A052E; Sun, 10 Mar 2019 08:36:52 +0100 (CET)
Received: by godin (Postfix, from userid 1000) id 0A361EC0B0D; Sun, 10 Mar 2019 08:33:06 +0100 (CET)
Date: Sun, 10 Mar 2019 08:33:06 +0100
From: Stephane Bortzmeyer <>
To: Ralf Weber <>
Cc: Stephane Bortzmeyer <>, "Livingood, Jason" <>, DoH WG <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 18.04 (bionic)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
Subject: Re: [Doh] New: draft-livingood-doh-implementation-risks-issues
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Mar 2019 07:36:59 -0000

On Sat, Mar 09, 2019 at 10:57:53PM +0100,
 Ralf Weber <> wrote 
 a message of 93 lines which said:

> > > Network operators, ranging from ISPs to enterprises, schools,
> > > and others work hard to provide outstanding DNS and network
> > > performance,
> >
> > Nice but clearly false. One of the reasons why many users switch
> > to public DNS resolvers is because many local networks and ISP do
> > a lousy job (specially in some parts of the world). Not to mention
> > those who simply announce trough DHCP...
> While it is true that there are ISPs that give you as a
> resolver there are also a lot of ISPs that invest in their DNS
> service and offer a service that (due to the network nature) is
> better than what a public resolver can provide. So stating this as
> false also clearly is false.

I never said that "_all_ ISPs are this or that". The draft
did. Sometimes, the service provided by the public resolver is better,
sometimes it is not. Saying that all ISPs "work hard to provide
outstanding DNS" is simply advertisment.

> > Can you explain how a blocklist on the DNS resolver protects against
> > spam and dDoS?
> Easy. Spam is often send by bots. DNS resolvers that e.g block or
> redirect MX lookups or stop the communication of the bots with its
> masters by blocking the C&C domain.

OK. It does not protect you against spam, it protects other users
against the spam you send. That's quite different.  If the "regular"
DNS resolver blocs C&C, spam-sending bots won't use it and will switch
to other systems: alternative name resolution systems or simply
DNS-over-somethng (I agree here with Warren Kmmari

> those users and even more so these public resolver service
> providers, who usually also do business in these countries, are
> breaking the law.

You are not a lawyer and neither I am but I think it is more
complicated. At least in France but probably in many other countries,
legal rulings by court are to be enforced only by organisations which
have been named in the rulings. Most of them don't name Google Public
DNS or Cloudflare or Yandex DNS. For the censorship which does
not go through courts, such as the blacklist of the governement in
France, the list is not public and therefore public DNS resolvers
cannot follow it, even if they want (at least one not-for-profit
organisation explicitely asks for this list and was denied). So, no, I
don't think they are breaking the law (yes, IANAL, but nobody here is).

> There is some server or proxy software out there already,

I know, I wrote one. But most of them are experimental, hard to
install, not something that you can install as easily as a HTTP server
or a regular DNS resolver.

> But to deploy it you need money and a business case, and I can not
> find a primary business case to run a DoH server.

The will to provide an alternative? In France, at least two
not-for-profit organisations operate a public DNS resolver precisely
for that. There is not only business in life.

> I think the only way to get lots of DoH providers is to help the
> ISPs to do it as they are the natural decentralised player on the
> internet.

Clearly, we disagree here, but it seems more a political disagreement
than a technical issue with the protocol of this WG.