On Tue, Feb 12, 2019 at 10:34:19AM -0800, Paul Vixie <[email protected]> wrote a message of 15 lines which said:
> > How can you be sure folks on your network aren’t already tunneling > > their evil deeds through HTTPS? > > netflow. such traffic _looks_ abnormal. > > the deliberate design premise of DoH is that it look normal. If TLS does its job, how can you make the difference between DoH and EvilNonStandardNameResolutionProtocolRunningOverTLS? There are some metadata that can help (such as sizes and timing) but IETF continue to develop tricks like padding to make them as inefficient as possible. I would really like to know how you could detect EvilNonStandardNameResolutionProtocolRunningOverTLS but not DoH? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
