On Tue, Feb 12, 2019 at 10:14:19AM -0800, David Conrad <d...@virtualized.org> wrote a message of 100 lines which said:
> Why don’t you force folks on your network to install a certificate > that would allow you to inspect TCP/443 outbound traffic? There are probably many connected things where this is not possible. But I don't think blocking DNS resolution (through DoT blocking or DoH bashing) would help: malware learned a long time ago how to work even in the most hostile (for them) environment, so connected things will learn to do the same, in the same way that they use STUN, TURN and other tricks to work around NAT. So, I don't think Paul Vixie's plan will work: either you connect only trusted devices to your network, or you block all outbound traffic for nodes that must stay local (a thermometer or a camera MUST NOT talk to the outside world at all). (And, yes, I know, that today's connected devices talk a lot to remote nodes. But it is evil.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
