Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

[nalini elkins <nalini.elkins@e-dco.com>]

BTW, I am reading the draft Tiru et al just posted on DPRIVE about this
issue to see if we have any comments.

> 4) I am using my work laptop on the enterprise network, and
using application-X

This could be an internal application or on the Internet.

Enterprises have connections to:

- Internal LAN / WAN clients

- "Cloud" (much as I dislike the term) applications

- Business partners

- The Internet

Companies also (validly, in my opinion) wish to know if their employees are
going to fantasyfootballgame.com while they are supposedly doing work and
of course, other sites which people should not be going to during work
time.  If I am paying someone, I expect them to do work that I wish them to
do.

The cloud example gets quite a bit more complex with some architectures
some companies are proposing where there will be a complicated topology on
premises.   Let me check with the enterprise who told me about this & I
will see if I can post the diagram or an explanation of what is planned.
This is a complex problem.

Thank your for your thoughtful consideration of the issues.  Please let me
know if my explanation makes the requirements any clearer.

Nalini



On Mon, Mar 11, 2019 at 9:44 AM Christian Huitema <huitema@huitema.net>
wrote:

>
> On 3/10/2019 8:25 PM, nalini elkins wrote:
> >  > Similarly, putting DNS in user space allows for immediate adoption
> > of DNSSEC and privacy enhancements, even when the operating system or
> > the local network does not support them
> >
> > At enterprises (banks, insurance, etc) on their internal networks,
> > people run their own DNS servers which may resolve for both internal
> > and external sites.
> >
> > We were recently talking to a Fortune 50 company in the United States
> > about what might happen you install a version of the browser which
> > uses DNS-over-HTTPS automatically.  (Clearly, this applies to any
> > variant.)
> >
> > The questions that the Fortune 50 company architect asked were
> > something like this:
> >
> > 1. You mean that DNS could be resolved outside my enterprise?
> >
> > 2. So whoever that is that resolves my DNS sees the pattern and
> > frequency of what sites my company goes to?
> >
> > 3. How do I change this?
>
>
> There are a bunch of conflicting requirements here, and it would be good
> to tease out the contradictions. Consider the following cases:
>
> 1) I am using my phone, and using application-X.
>
> 2) I am at home, using application-X on my home computer.
>
> 3) I am using Wi-Fi in a hotel, and using application-X.
>
> 4) I am using my work laptop on the enterprise network, and using
> application-X
>
> 5) I am using my work laptop in a hotel, and using application-X
>
> 6) I am using my work laptop on the network of a customer, and using
> application-X.
>
> Today, plenty of people claim the right to control how I use the DNS: my
> phone carrier, my ISP at home, the company that got the contract to
> manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT
> manager for the company that I am visiting. Out of those, there is just
> one scenario for which the claim has some legitimacy: if the company
> pays for my laptop and own the laptop, yes of course it has a legitimate
> claim to control how I am using it. Otherwise, I, the user, get to
> decide. If I like the application's setting better than the network's
> default, then of course I expect those settings to stick.
>
> -- Christian Huitema
>
>
>
>

-- 
Thanks,
Nalini Elkins
President
Enterprise Data Center Operators
www.e-dco.com