Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Eliot Lear <> Tue, 19 March 2019 07:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 245F01311BF; Tue, 19 Mar 2019 00:51:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X2gan6shKPip; Tue, 19 Mar 2019 00:51:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2AFC91274A1; Tue, 19 Mar 2019 00:51:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6134; q=dns/txt; s=iport; t=1552981860; x=1554191460; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=Y39Ho1Acxa113SbZ0GVOuin9B+CBF4Z2ZVdBwTokR9o=; b=TtuxlnZ8eQHpHKobnoA9QKLRFqCDIym7An8KhKgJo4gxPMkxDgmkZWfa Ygy9p79BJBhY/LtFl02MMeo5TiqAoYDsHyUAunmOFFh5xsFA/6UrhWsdA H7V98rizT9H0KazZnBbE9xArUdakFwd+hc3xvb0E2sBcQJHQYKBxnWFJa M=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.58,497,1544486400"; d="asc'?scan'208,217";a="10827738"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Mar 2019 07:50:52 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id x2J7opdc006812 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Mar 2019 07:50:52 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_1B84DB7B-41F0-4581-9A4A-D7D6CF962C9E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 19 Mar 2019 08:50:50 +0100
In-Reply-To: <>
Cc: Ted Hardie <>, dnsop <>, DoH WG <>, Paul Vixie <>
To: Matthew Pounsett <>
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <> <>
X-Mailer: Apple Mail (2.3445.102.3)
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Mar 2019 07:51:03 -0000


> On 19 Mar 2019, at 01:50, Matthew Pounsett <> wrote:
> Somewhere up-thread it was suggested that there are other reasonable steps that a network/security operator can take to maintain the controls over resolution that we have today, but so far I haven't seen them enumerated anywhere.

I had stated that one can use an MDM to manage the endpoint’s use of DoH.  This doesn’t eliminate the possibility of malware, but does reduce misconfiguration in the enterprise, and provides for some protection against infection by blocking known bad names.

In addition, there’s at least a heuristic for detection: compare data plane activity against ANSWERs.  If you’re seeing activity to addresses that don’t match (modulo some noise), you know an alternate resolver is active on that device.  And while it’s possible for malware to mimic queries to Do53 for Good sites versus what it really wants to access, you start tarnishing the rep of the IP address as and when you detect the problem through other means (AV s/w, honey pots, binary inspection, et al).  That leaves it with cloud providers to sort their wagons.

It might also be possible to whitelist ANSWERs into iptables. I wrote the code for that for a dnscap plugin some years ago, and you could even play with it if you want (it’s on GitHub), but I’m not suggesting it’s a good general answer (it was intended for a very specific use case involving relatively few domains for (hopefully cooperating) IoT devices).  As you point out, it won’t tackle shared IP addresses, and quite frankly, little CPE gear won’t scale with a gazillion iptables entries (I’m not sure big gear would either).