On Mon, Feb 23, 2015 at 1:04 AM, Hosnieh Rafiee <[email protected]> wrote:
> > From: dns-privacy [mailto:[email protected]] On Behalf Of > Phillip Hallam-Baker > > > We have to avoid loaded terms like minimal changes. What is a minimal > change is a very subjective question. > > > We have middlebox issues. Since a middlebox can't do anything useful to an > encrypted message and because my objective is to bypass government > censorship schemes, my approach is to bypass the middleboxen wherever > possible. So I see no value in port 53 whether UDP or TCP. > > Changing the port number isn't really a major change in the protocol in my > view. > > Sure we could tunnel e-DNS over DNS. In fact I started off doing that > three years ago. I even wrote code for that. But why bother when there are > plenty of uncluttered UDP ports? > > -------------------------------- > [Hosnieh] Don't make mistake... first of all the discussion is not about > whether this or that proposal is good or bad. The discussion is about > having EQUAL chance for all proposals to present themselves while this > haven't happened at least for CGA-TSIGe and everytime dropped from agenda. > > [Hosnieh] The similarity of all proposals IMO are as follows: > 1- the purpose of all proposals are to avoid government censorship. > 2- encrypting the DNS messages > > The differences of these proposals are: > 1- How to do the encryption of DNS message > > Now let's back to any proposals with the need of using other ports than > DNS. To be realistic, at the moment in all middle boxes like a firewall , > port 53 have been defined for DNS and open for that purpose. In most large > enterprises there are restricted policies and mostly the keep close all > unnecessary ports. In none of my message I said it is not possible to > re-configure all of these devices, but would say it is not easy not only > technically but also non-technically. I am not talking about a small > network with perhaps one firewall or a router, but large corporates. I know > that many big enterprises have a lot of bureaucracy to change any single > things in their network. furthermore, this Is too much administrative works. > I don't think we should have any concern for providing a bypass for the enterprise case. If General Motors wants to control their network, that is their business. They have a right to decide what devices connect to their network and every bit of software in the stack. The reason for providing a plan-b transport is that many ISPs are playing idiot games with DNS that we do need a work-around on. Residential broadband typically has UDP open so as to support world of warcraft etc. We should not worry too much about the possibility of providing a standardized firewall bypass mechanism. There are plenty of non standard ones and it is not our job to fix holes in other people's sieves. But that does not mean that we should design the protocol to bust enterprise network firewalls either. Busting the DNS middleboxen provided by ISPs to residential users is a very different matter. They are selling Internet connectivity and their customer has a right to get what they paid for, not a walled garden controlled by the ISP. But in practice it isn't the walled gardens that are the problem so much as clueless gateways that the ISPs often don't even know are doing DNS interception.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
