> -----Original Message-----
> From: Ralf Weber [mailto:d...@fl1ger.de]
> Sent: Thursday, April 24, 2014 7:22 PM
> To: Tirumaleswar Reddy (tireddy)
> Cc: Nicholas Weaver; Paul Wouters; dnsop; dns-priv...@ietf.org
> Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD)
>
> Moin!
>
>
> On 24.04.2014, at 15:28, "Tirumaleswar Reddy (tireddy)" <tire...@cisco.com>
> wrote:
>
> >> -----Original Message-----
> >> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of
> >> Nicholas Weaver
> >> Sent: Thursday, April 24, 2014 1:58 AM
> >> To: Paul Wouters
> >> Cc: dnsop; Nicholas Weaver; dns-priv...@ietf.org
> >> Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD)
> >>
> >>
> >>> On Apr 23, 2014, at 1:00 PM, Paul Wouters <p...@nohats.ca> wrote:
> >>> No, I fully disagree with this. Port 53 TCP has a much better chance
> >>> at working these days than a random other newly assigned port.
> >
> > On the contrary, Firewalls are configured today to permit UDP port 53 and
> block TCP port 53. Why should firewalls change their configuration ?
> I know lots of firewalls that also allow TCP/53,
Any specific reason for the firewalls to permit TCP/53 other than for zone
transfer ?
> but the real problem with all
> these middle boxes that make changing DNS hard is that they believe to
> understand the full protocol and only pass what they think is right. So
> everything
> new we come up will be dropped (Been there, done that). We have to be very
> careful with changes to the DNS protocol if we want them to be deployed
Agreed, It totally depends on the environment in which the firewall is
deployed, it's capability and configuration.
For example
[1] For firewalls deployed in Enterprise network and the I.T realizing the
importance of privacy then FW could be configured to permit DNSoD over 53.
Similarly I don't see any problem with the firewall deployed in the Home
network.
[2] It could be a problem with firewalls deployed in airports, coffee shops,
where I.T may not care about privacy, and the firewall configured could block
non-DNS traffic on port 53. In such environments if a user wants privacy then
it's probably better to go with DNS servers that the user trusts. For example
DNSCrypt uses UDP/443 by default and if the connectivity with the DNS servers
fails then it resorts to TCP/443 and it works on UDP/53 too. I guess With
{D}TLS we will need a similar approach where client tries connectivity using
multiple ports, L4 protocols etc.
Firewalls today are already capable of inspecting the TLS handshake and can
also act as {D}TLS proxy. DTLS is already deployed and used today to secure
WebRTC media, data channels and CoAP protocol in IOT environments. Firewalls
are catching up with these emerging protocols to make sure it works with them.
Cheers,
-Tiru
>
> So long
> Ralf
>
> Sent from my iPhone
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
