Re: [Doh] [EXTERNAL] Re: DoH

Paul Brears <> Fri, 29 March 2019 11:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 90D88120251 for <>; Fri, 29 Mar 2019 04:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.03
X-Spam-Level: **
X-Spam-Status: No, score=2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FUZZY_XPILL=2.799, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HQ3VEou7mMjX for <>; Fri, 29 Mar 2019 04:55:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3AEBA12026D for <>; Fri, 29 Mar 2019 04:55:04 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id x2TBpph6016271; Fri, 29 Mar 2019 11:54:34 GMT
Received: from ( []) by with ESMTP id 2rfvhabcej-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 29 Mar 2019 11:54:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-rm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oE3YqJPyzJeHcKenkNlze354mjJn12ZuWUUQo97Y63I=; b=P6V9MFpgd46tjy5POIo5ukRb8YvBDfNYLXsih/yfGn3HDtw5XQfwdSHaTPRJgthrqr5MzvEcWjsagAJ/giMfc0mBd1hXLF+VmRGyJZDiHxngMAUWVwcA9x+2bBBtgWy3eJzicW5BqsGdHB6nIefPdtPN/DVxnU9hxDuBiPMa+sA=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.17; Fri, 29 Mar 2019 11:54:28 +0000
Received: from ([fe80::5df9:95c7:55c0:c51e]) by ([fe80::5df9:95c7:55c0:c51e%2]) with mapi id 15.20.1750.017; Fri, 29 Mar 2019 11:54:28 +0000
From: Paul Brears <>
To: "" <>, "" <>, "" <>, "" <>, "" <>
CC: "" <>, "" <>
Thread-Topic: [Doh] [EXTERNAL] Re: DoH
Thread-Index: AQHU5a8WrcSJWAdgB0GdQglRRJjEqaYicS+AgAAO48A=
Date: Fri, 29 Mar 2019 11:54:27 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad142391-5e2d-4f50-0f18-08d6b43d4c1a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM6PR04MB4406;
x-ms-traffictypediagnostic: AM6PR04MB4406:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(366004)(39850400004)(396003)(346002)(189003)(199004)(13464003)(93886005)(52536014)(8936002)(3846002)(2906002)(486006)(68736007)(446003)(86362001)(11346002)(476003)(25786009)(33656002)(66066001)(4326008)(14454004)(105586002)(966005)(106356001)(66574012)(5024004)(14444005)(256004)(478600001)(97736004)(76176011)(6436002)(6116002)(26005)(55016002)(6246003)(8676002)(53546011)(6306002)(5660300002)(6506007)(2501003)(186003)(102836004)(71200400001)(54906003)(229853002)(71190400001)(81166006)(81156014)(316002)(110136005)(7736002)(99286004)(2201001)(305945005)(74316002)(7696005)(53936002)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR04MB4406;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zrOMPqOBTiXnG4V3DzTJfTkfqEKtoq3Ix39tg6Ji4Hi8Ogsde8g4Rc9kMVyIkGJpLnHxWrXGeItxKondvktDYsafR5IJPq7d0XcEdSs1OFNzZ64hjREYnjizLhCPajt75DyyvD3ur9ZvJNh4g3IIYS/lfEtblsO7ZNVSniO7lGuFApK9djJfB26YyostKJnjls5RmOwKlE1XCfVElKoMDwcNWGGz4BTFhdD5TdwgcswjwpDV8QRryqeTsXGyYYrOIBDNFQBgTKxCk2PKXvrFHtCDB3sXrXx1gc5QVOT/DyZL03ur3fviHkR0MWjarRPPgzsKudxMaAX6PLhII1Ly4g8MG3wjk2fbL6/dXU8yIPbZVY+g1MCVsFGNtsllHaTw4oSbZIyKBxr0Lpk1Ml8ojbvxCozRKs8nOpGXmk/QaKU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ad142391-5e2d-4f50-0f18-08d6b43d4c1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 11:54:28.0923 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3a4af158-b8a5-4bc8-833c-d973205f2bc2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR04MB4406
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-29_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outboundspam_notspam policy=outboundspam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903290087
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: DoH
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2019 11:55:10 -0000

Further down the thread it had been said that choosing to use DoH was the same as choosing to use Google DNS rather than your ISP’s:
 >"For the types of home networks you mention, which generally lack professional and dedicated network administrators, DoH does not inherently represent any significant change to the decade-old status quo resulting from publicly-available DNS."

I think the key difference is that on a normal Widows PC you’d need device admin credentials to change DNS provider.
So a child can’t change DNS provider, to get round parental controls, on a family device unless they’ve been given admin rights.

Whereas in the current (beta) Firefox UI, DoH can be turned on without any additional controls, or any technical knowledge.
What’s worse, the UI today doesn’t make it clear that this setting will undermine parental controls.
So a parent, expecting their parental controls to work, and checking the device settings, won’t see DoH being enabled as a problem.

If DoH becomes default then most parents won’t even see the control hidden in the advanced settings, and won’t know why their parental controls are no longer working.



-----Original Message-----
From: Doh <> On Behalf Of
Sent: 29 March 2019 10:58
Subject: Re: [Doh] [EXTERNAL] Re: DoH

On Mar 28, 2019, at 22:40, Winfield, Alister <> wrote:

> Top posting on purpose ….

> I’ve tried to respond twice to this and I think third time I might get
> closer to my thinking…

> The DoH solution (note not necessarily protocol) is missing at least
> two key elements which together would have reduced the immediate panic
> in the implementation. Not to say there aren’t other things that need work just the really problematic issues could be contained or deferred.

> The current active work on discovery and somehow defining a trust and privacy mechanism surrounding TRR’s.

> With trusted lists of TRR’s you’d then be able to use the output of a
> fundamentally insecure discovery method. If that ‘trust and privacy’
> were to be selectable say by choice of provider. You get the option to
> allow the local network policy / or not. You can chose to allow
> trusted coffee shops but others may be not in your list because they
> do things that ‘you’ don’t like. Parents can chose to trust only those DNS providers that give strong parental controls. Whatever group you are in many things would be less controversial. Oh, it’s not easy but at least we wouldn’t be in the current position where it is almost certain that a sudden change will occur to a keystone of the Internet.

> Worst case example is that given the billions of queries per second we
> are talking about here and the localisation of content delivery it
> impacts, many terrabytes per second of traffic could / would rapidly
> migrate to less-optimal CDN’s. The distribution of this might well
> break networks, sadly there is no research that can reliably work out
> the full impact. Small trials really don’t help because we already handle small percentages of non-local DNS use. It’s the unknown of what happens if 80% of the users in a single software update change to a non-local DNS provider (especially if it’s one that doesn’t forward granular enough EDNS client-subnet data because ‘privacy’).

> I admit that last paragraph may be FUD, but in this case the risk to
> the stability of the Internet is potentially at stake so largest possible ‘we’ owe everyone a little time exposing the potential issues in detail with any mitigations if they exist.
> Preparing those who will be impacted for change and then somehow
> containing the initial  change so if it really does cause hard to
> contain issues we have a small enough problem its solvable in reasonable timeframes. Anyone who has done operations will tell you that big changes that happen fast are the nightmare you fight hardest to avoid.

> One more thing I’ll repeat others warning.. beware unintended
> consequences this must not end in a fight between networks, or
> governments and DoH providers. If this goes wrong and corporates and
> other players decide this is a step too far because of the impacts we all know the outcome could be very messy and I for one would rather work to get a less painful and most likely less privacy impactful result.

> NB: Don’t bite I do like the protocol and I agree that there are some that need it to exist.

I agree with the thrust of your argument, think that those that seek to distinguish between the protocol and its impact in real-world implementation scenarios are mistaken.  The current design is incomplete and lacking in functionality and needs more engineering effort in order to address the shortcomings identified here and elsewhere.  Without further work, DoH will simply serve to undermine privacy and security, as well as leaving application developers and resolvers that use it in a position where they may be non-compliant with legislation in numerous countries  - and so open to legal redress.

I hope that the IETF recognises that these are legitimate challenges that need to be dealt with so that DoH can deliver it's intended benefits.


Doh mailing list
This message is confidential and should not be copied or disclosed to anyone. If this email has come to you in error, please delete it, along with any attachments. Any views or opinions presented are only those of the author and not those of RM. RM accepts no liability for any loss or damage which may be caused by software viruses and it is your responsibility to ensure that this email and any attachments are free of viruses when you receive it. You may use and apply this email and the information contained in it for the intended purpose only and RM shall not be liable in any way in respect of use for any other purpose. In respect of all other matters, to the fullest extent permitted by applicable law, RM disclaims all responsibility and liability for the contents of this email (including any attachments). Please note that RM may intercept incoming and outgoing email communications.

RM Education Ltd (Reg. No: 01148594) is a company registered in England and Wales with its registered office at 140 Eastern Avenue, Milton Park, Abingdon, Oxon OX14 4SB; VAT No: GB 630 8236 56.