Re: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

"Yishai Beeri (yishaib)" <yishaib@cisco.com> Tue, 12 March 2019 20:30 UTC

Return-Path: <yishaib@cisco.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 827CC13123C; Tue, 12 Mar 2019 13:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VaoYDzYK; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=e12kTm4L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SDeA27Uht6O7; Tue, 12 Mar 2019 13:30:09 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D725131096; Tue, 12 Mar 2019 13:30:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2350; q=dns/txt; s=iport; t=1552422609; x=1553632209; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=HLl/BC2MJhUtqzCU3NGJri4qvQ8otjoYFyGk80T81yE=; b=VaoYDzYKO/BE08l3GIG2UrexzRp4mQ36nMYQbL2SdfG3m3gu3dAYr5f4 AKg/MTrs+o6PYnEPv/GFG/oLhMUCO9aGj+2HBOtbCmjWheGB52rqpCgR0 rTbPpQjBiwPgKu9iXRNBd0y6dhGg9nPMN1G0wD6gj2FDRITTg3o5BCcFT o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AhkVcaR2mjYNRnm0xsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQGEzgLPfrZQQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BdAADOFYhc/40NJK1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBZYE9UANodAQLJwqEAINHA48/gleZTwNUCwEBGA0HhEACF4Q?= =?us-ascii?q?iIjgSAQEDAQEJAQMCbRwMhUsBAQMBAQEhEQwBASwLAQ8CAQgaAiYCAgIlCxU?= =?us-ascii?q?QAgQOBYMiAYFdAw0IAQIMpU8CihRxgS+CeAEBBYExAYNaGIIMAwWBCySLLRe?= =?us-ascii?q?BQD+BOB+CTIMeAQGBYReCczGCJoxShCeTOAkCh1OLQBmTPJBkihGCWAIEAgQ?= =?us-ascii?q?FAg4BAQWBXiGBVnAVOyoBgg0BAQExggoMF4NLhRSFP3KBKI5/AYEeAQE?=
X-IronPort-AV: E=Sophos;i="5.58,471,1544486400"; d="scan'208";a="243956898"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Mar 2019 20:30:07 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x2CKU7d6027805 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 12 Mar 2019 20:30:07 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 12 Mar 2019 15:30:07 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 12 Mar 2019 16:30:06 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 12 Mar 2019 16:30:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HLl/BC2MJhUtqzCU3NGJri4qvQ8otjoYFyGk80T81yE=; b=e12kTm4LkZjSDSGfZEMNGDG0QW62Qm2sQlcY2BJYW303g34Tko+pvtlxAumDhMvpentgQzeUFXY44/cR6Y/TTkal6pMkfsMel+s+liMUwr+swQP41fPF9MqaiqrqjGOFuUjGUV+n/xnoQwYkPBqaz4W4NX7KACHnIMMggawwNnU=
Received: from BN8PR11MB3682.namprd11.prod.outlook.com (20.178.220.33) by BN8PR11MB3587.namprd11.prod.outlook.com (20.178.218.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Tue, 12 Mar 2019 20:30:04 +0000
Received: from BN8PR11MB3682.namprd11.prod.outlook.com ([fe80::19c:1732:d955:fc45]) by BN8PR11MB3682.namprd11.prod.outlook.com ([fe80::19c:1732:d955:fc45%5]) with mapi id 15.20.1709.011; Tue, 12 Mar 2019 20:30:04 +0000
From: "Yishai Beeri (yishaib)" <yishaib@cisco.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
Thread-Index: AQHU2QKoZpCouOIK2EWvJIZOa3/An6YIlD4A
Date: Tue, 12 Mar 2019 20:30:03 +0000
Message-ID: <0B8BC769-EB92-473B-9C56-82CD489EFE8E@cisco.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <20190312153636.qdsdne24vmi4xdoe@nic.fr> <50BAF399-B95D-438B-B3FC-05A0159439E2@noware.co.uk> <20190312160141.ibnjtdt5myntwiwk@nic.fr>
In-Reply-To: <20190312160141.ibnjtdt5myntwiwk@nic.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=yishaib@cisco.com;
x-originating-ip: [192.118.78.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c517baf7-a5f7-4528-6853-08d6a7298242
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BN8PR11MB3587;
x-ms-traffictypediagnostic: BN8PR11MB3587:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN8PR11MB35874503BD1B1078ED0795EFA1490@BN8PR11MB3587.namprd11.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(396003)(136003)(39860400002)(199004)(189003)(81166006)(97736004)(8676002)(81156014)(105586002)(25786009)(106356001)(36756003)(6116002)(3846002)(68736007)(478600001)(6506007)(76176011)(102836004)(14444005)(256004)(5660300002)(2906002)(83716004)(26005)(71200400001)(71190400001)(186003)(66574012)(82746002)(446003)(966005)(6486002)(66066001)(2616005)(11346002)(33656002)(476003)(229853002)(486006)(7736002)(6436002)(6512007)(305945005)(8936002)(99286004)(6306002)(93886005)(14454004)(6916009)(54906003)(4326008)(316002)(86362001)(6246003)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3587; H:BN8PR11MB3682.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 9wJaIyXPoPHrDcH2cnB25+VeED2Ypk75uStMV+D/YJJVCDR9rWh6DbZhczlOeh12dFcIiZ6aYGwkx2DB1oFFW6o11dvZWjmFzkejQ/O1VtRqGiRJBKbHPVKjEa5eNvjmyWDweSPtaCUvFjZX+25/Y8lJ9cuPsUXkmSHYSMlLzwtPRmnewqf8XGzamMVBsHtJ6c2M+VYbFtt1MYCi9XviH0R8blErZy65CvlE+tndtp7I6UrynI6ByvZI15IVWwwVlGUFOTzzfYuNKU/xusIvYYBdZNDcmsP/29z55u1/8Wwpfissd5JuUdgQH051abcf8e7N9FPuxlqx81WopBcWJZad2azvaowHcD/ou4df2LGwx1VrJgvB9+Q+NCLyEt2n6C14ptpv+/GMvRhFN8TQMRAYNJa5pz8Y6ydcNVsy2Ks=
Content-Type: text/plain; charset="utf-8"
Content-ID: <DBBB2A3768EBF842BB48B7A8610966E5@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c517baf7-a5f7-4528-6853-08d6a7298242
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 20:30:03.8590 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3587
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/dtjFoWizCUjBeUJOytA0r2-mcE0>
Subject: Re: [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 20:30:17 -0000


On 12/03/2019, 20:37, "Doh on behalf of Stephane Bortzmeyer" <doh-bounces@ietf.org on behalf of bortzmeyer@nic.fr> wrote:

    On Tue, Mar 12, 2019 at 04:55:11PM +0100,
     Neil Cook <neil.cook@noware.co.uk> wrote 
     a message of 22 lines which said:
    
    > Actually many enterprises (particularly banks etc.) do not allow DNS resolution directly from employee endpoints.
    
    They block UDP/53, which is not the same thing. Malware or
    non-cooperating applications can do name resolution by other means. I
    still do not understand why people have a problem with DoH whch did
    not already exist before with
    my-own-name-resolution-protocol-over-HTTPS.
    
It is common practice for Malware operators to use bona fide DNS infrastructure (including resolvers) to communicate with the malware application. One useful example are DGAs [1]. This practice is cheaper and more robust for Malware operators than setting up their own DNS resolver service, not to mention implementing a proprietary protocol. It also helps isolate the malware operator from the malware as these communications all happen through legit services (all the malware operator has to do to trigger the resident malware is to register a domain).

DoH, and specifically the (intended) inability to distinguish DoH from other traffic, makes this practice much harder to detect and to block - which is why this a problem that did not already exist before.

[1] https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/

    _______________________________________________
    Doh mailing list
    Doh@ietf.org
    https://www.ietf.org/mailman/listinfo/doh
    
Yishai