Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Paul Vixie <> Mon, 11 March 2019 18:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28E6F1277D8; Mon, 11 Mar 2019 11:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LxfClxhhGPzR; Mon, 11 Mar 2019 11:07:06 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C2DD61311C7; Mon, 11 Mar 2019 11:06:58 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:6529:414d:1c66:203e] (unknown [IPv6:2001:559:8000:c9:6529:414d:1c66:203e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 9BB00892C6; Mon, 11 Mar 2019 18:06:58 +0000 (UTC)
To: Ted Hardie <>
Cc: Warren Kumari <>, Jim Reid <>, DoH WG <>, dnsop <>
References: <> <> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Mon, 11 Mar 2019 11:06:56 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.11
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 18:07:08 -0000

Ted Hardie wrote on 2019-03-11 10:02:
>     no other off-network RDNS is reachable by malware which somehow gets
>     into my network,
> I interpret this to mean that you have blocked DNS over TLS's well-known 
> port (853), so that Quad 9 and other services offering it are not 
> accessible.  Is that correct, or do you mean something more extensive?

that's it. because before DoH, it was possible to outlaw off-net 53 and 
853 except when coming from my local RDNS servers. because unlike DoH, 
those protocols are not designed to prevent on-path interference.

> As several other folks have pointed out, roll-your-own resolution is in 
> some pretty widely used applications, but I'm not aware of any 
> comprehensive list or any way to block that short of removing the 
> applications once found.  Is there a technique here I'm not aware of?

famously, my chromecast ultra would not let itself out of setup mode 
until it was allowed to reach on UDP/53.

my solution was to operate a server on (and, and, and locally.

DoH will moot that approach. (by design.) i'm studying my alternatives, 
since i also use 'dnstap' to detect behavioural abnormalities, and DNS 
RPZ for parental (and botnet, and IoT) controls. it won't be pretty and 
it won't be cheap. (by design.)

P Vixie