Re: [Doh] DoH

<andrew.campling@bt.com> Thu, 28 March 2019 17:36 UTC

Return-Path: <andrew.campling@bt.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C06120283 for <doh@ietfa.amsl.com>; Thu, 28 Mar 2019 10:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQ5iOX8qaHPs for <doh@ietfa.amsl.com>; Thu, 28 Mar 2019 10:36:07 -0700 (PDT)
Received: from smtpe1.intersmtp.com (unknown [213.121.35.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADBA01202C4 for <doh@ietf.org>; Thu, 28 Mar 2019 10:36:03 -0700 (PDT)
Received: from tpw09926dag11h.domain1.systemhost.net (10.9.212.35) by BWP09926084.bt.com (10.36.82.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Thu, 28 Mar 2019 17:35:57 +0000
Received: from tpw09926dag11h.domain1.systemhost.net (10.9.212.35) by tpw09926dag11h.domain1.systemhost.net (10.9.212.35) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Mar 2019 17:35:59 +0000
Received: from tpw09926dag11h.domain1.systemhost.net ([fe80::31b2:6108:6eda:82cd]) by tpw09926dag11h.domain1.systemhost.net ([fe80::31b2:6108:6eda:82cd%12]) with mapi id 15.00.1395.000; Thu, 28 Mar 2019 17:35:59 +0000
From: <andrew.campling@bt.com>
To: <adam@nostrum.com>, <john@johncarr.eu>, <mcmanus@ducksong.com>
CC: <paul.hoffman@icann.org>, <doh@ietf.org>
Thread-Topic: [Doh] DoH
Thread-Index: AQHU5Yj5ws0QKXF/kE2CC/ccxm7ktqYhTCtA
Date: Thu, 28 Mar 2019 17:35:59 +0000
Message-ID: <826904ddc23941d5be4d8872c4f2737a@tpw09926dag11h.domain1.systemhost.net>
References: <DB7PR03MB4698C510EC609C85725FC158C6590@DB7PR03MB4698.eurprd03.prod.outlook.com> <CAOdDvNpJqaemDTHcUtTQ7Xc1cq5OOFU91qq_h97j6Uv1RTHD7A@mail.gmail.com> <DB7PR03MB4698A645255E883C9CC07AC3C6590@DB7PR03MB4698.eurprd03.prod.outlook.com> <73a0935d-f80b-0e8d-eb89-cb35a473122c@nostrum.com>
In-Reply-To: <73a0935d-f80b-0e8d-eb89-cb35a473122c@nostrum.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.9.202.243]
Content-Type: multipart/alternative; boundary="_000_826904ddc23941d5be4d8872c4f2737atpw09926dag11hdomain1sy_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/r0TcqbXJxkf5rUu8kEZYznKoDJQ>
Subject: Re: [Doh] DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 17:36:11 -0000

Ø  For the types of home networks you mention, which generally lack professional and dedicated network administrators, DoH does not inherently represent any significant change to the decade-old status quo resulting from publicly-available DNS.

I disagree, there is a fundamental change here.  If / when browsers enable DoH by default, it suddenly means that very large numbers of users will bypass filtering, whether in the home or other environments, possibly without even knowing that is the case.  This potentially exposes vulnerable groups such as children to harm, and may also contravene local or regional legislation – an issue for the browser companies and DoH resolvers.  These points were touched on in the DoH discusions this week.

The reasons this is different to the status quo with publicly-available DNS are: a) the volume of users involved; b) it is being implemented without the user seeking it out; and c) it is potentially being imposed without their consent.

No doubt the debate will continue!


Andrew

From: Adam Roach [mailto:adam@nostrum.com]
Sent: 28 March 2019 17:08
To: John Carr <john@johncarr.eu>eu>; Patrick McManus <mcmanus@ducksong.com>
Cc: paul.hoffman@icann.org; doh@ietf.org
Subject: Re: [Doh] DoH

[speaking as an individual contributor]

John --

The issue you're raising is not inherent to the DoH protocol. Since the advent of public DNS servers, which started to gain significant popularity with Google's service offering a decade ago [1], the various DNS-based approaches of content restriction that you describe in your original message have been fairly easily circumventable (e.g. by changing the DNS settings on a local machine, using TOR browser, or by using a VPN).

There has been significant discussion within the IETF, especially over the past few weeks, of some of the operational changes that result from the difference between DoH and other means of accessing DNS. These changes do have some bearing on sophisticated network operators, such as those who administer enterprise networks. For the types of home networks you mention, which generally lack professional and dedicated network administrators, DoH does not inherently represent any significant change to the decade-old status quo resulting from publicly-available DNS.

There has also been some speculation about, and announcements of, future behaviors that some applications -- notably, web browsers -- may choose to exhibit. While the development of the DoH protocol might have focused and potentially accelerated the decisions made by the vendors of those applications, it should be noted that the behaviors enabled by DoH are possible without any standardized protocol, and that browser vendors in particular were almost certainly going to deploy equivalent technology regardless of whether such standardization took place. As the IETF itself only has that information that has been sent to the DoH mailing list, it seems unlikely that you could get any useful answers to the questions you raise except for by contacting the vendors of such applications through their official public comms channels.

/a

____
[1] https://en.wikipedia.org/wiki/Google_Public_DNS

On 3/28/19 17:20, John Carr wrote:
Many thanks. I represent children’s organizations which do not have  the resources to track the complexities or ins and outs of some of these sorts of issues.

Perhaps there is someone on the list who knows the answer to my question? Or are you saying I must wade through the whole shooting match and work it for myself?

John

From: Patrick McManus <mcmanus@ducksong.com><mailto:mcmanus@ducksong.com>
Sent: 28 March 2019 15:56
To: John Carr <john@johncarr.eu><mailto:john@johncarr.eu>
Cc: paul.hoffman@icann.org<mailto:paul.hoffman@icann.org>; mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>; doh@ietf.org<mailto:doh@ietf.org>
Subject: Re: DoH

Hi John - I cannot speak for the IETF, nor am I in a position to effectively summarize all of the inputs over the year long process in building RFC 8484. However the consensus opinion of that work is reflected in that document. I can also refer you to the datatracker page for the working group which includes the mailing list archives and minutes from in person meetings while doing the work. https://datatracker.ietf.org/group/doh/about/ The final consensus document does contain some related content in section 10.

Best Regards,
-Patrick

On Thu, Mar 28, 2019 at 3:54 PM John Carr <john@johncarr.eu<mailto:john@johncarr.eu>> wrote:
Hi Both,

I refer to the IETF project on DNS queries over HTTPS (DoH)

Could you tell me if, in the course of the deliberations which have been taking place within the IETF structures in respect of DoH, any consideration was given, or is being given, to the implications of this standard in terms of its likely impact on filtering solutions which have been implemented either  on routers within individual households, or by ISPs or other access providers, where the purpose of the filtering is either to restrict access to known illegal content or it is to restrict access to content which is considered inappropriate, e.g. for younger family members?

Many thanks,

John  Carr
Secretary
Children’s Charities’ Coalition on Internet Safety

www.chis.org.uk<http://www.chis.org.uk>




_______________________________________________

Doh mailing list

Doh@ietf.org<mailto:Doh@ietf.org>

https://www.ietf.org/mailman/listinfo/doh