[Driu] Suggestion: DHCP to choose a DNS provider from a list of trusted servers

Mateusz Jończyk <mat.jonczyk@o2.pl> Tue, 22 May 2018 15:06 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7BB4B12EB73 for <driu@ietfa.amsl.com>; Tue, 22 May 2018 08:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id u62-4c121FrR for <driu@ietfa.amsl.com>; Tue, 22 May 2018 08:05:55 -0700 (PDT)
Received: from mx-out.tlen.pl (mx-out.tlen.pl []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FE2912EB97 for <driu@ietf.org>; Tue, 22 May 2018 08:05:54 -0700 (PDT)
Received: (wp-smtpd smtp.tlen.pl 24986 invoked from network); 22 May 2018 17:05:52 +0200
Received: from acnx253.neoplus.adsl.tpnet.pl (HELO []) (mat.jonczyk@o2.pl@[]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <driu@ietf.org>; 22 May 2018 17:05:52 +0200
To: driu@ietf.org
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
Openpgp: preference=signencrypt
Message-ID: <6d6b7a24-a53d-5910-2817-f841258bf8df@o2.pl>
Date: Tue, 22 May 2018 17:04:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wHuqOdg45sisKKrvVfZKYsq4ArIFBi1zE"
X-WP-MailID: e32617b5d9384b75cf0c07a5a61831c6
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 0000000 [MePE]
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/9bHH9N1QecRwFXC9sS79BWC1rsM>
Subject: [Driu] Suggestion: DHCP to choose a DNS provider from a list of trusted servers
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 15:06:01 -0000

I have devised the following mechanism:

A DNS API client would have a list of "trustworthy" DNS API servers, but which
DNS API server from that list is used could be selected using DHCP.

This would have the following advantages:
1. It would give network administrators an easy way to choose a DNS provider
across a whole network (using DHCP) and configure it in one place instead of on
multiple machines.

2. It would also enable use of ISP's DNS API server (as a main server or as a
fallback), which would make it possible to share global DNS load across many
ISP's DNS servers.

At the same time, it would provide protection against phishing and rogue actors.

I have written some time ago why it is beneficial to enable fallback to ISP's
DNS API servers (modified):

We may end up with the whole Internet using few DOH servers. There are probably
few providers that would host publicly-available DOH servers: Cloudflare
(, Google, OpenDNS, IBM (or the folks responsible for and
possibly Microsoft and Apple (for use with Windows / macOS) [3]. I doubt that
OpenDNS would be happy to have their DOH server configured in applications as
default, and Microsoft and Apple as well (in products other then theirs).

This would be very different from the current situation where most people are
using the DNS server of their own ISP.

That change may be great because it increases security, but could create several
points of failure for the whole Internet [1]. It would be vulnerable to DoS. It
is important to have some local fallback - i.e.
DOH or DNS servers hosted by ISPs.


[1] This would be much worse then the current situation with DNS root servers.