On Sat, Mar 9, 2019 at 11:03 PM Paul Vixie <p...@redbarn.org> wrote: > > > Warren Kumari wrote on 2019-03-09 22:48: > > [ + DNSOP] > > > > ... > > > > I think it would be very valuable to not conflate DNS-over-HTTPS (the > > protocol) with the "applications might choose to use their own > > resolvers" concerns. > > i disagree. as an example: > > > Two primary use cases were considered during this protocol's > > development. These use cases are preventing on-path devices from > > interfering with DNS operations, ... > > (from the Introduction of RFC 8484.) > > no other off-network RDNS is reachable by malware which somehow gets > into my network,
I interpret this to mean that you have blocked DNS over TLS's well-known port (853), so that Quad 9 and other services offering it are not accessible. Is that correct, or do you mean something more extensive? As several other folks have pointed out, roll-your-own resolution is in some pretty widely used applications, but I'm not aware of any comprehensive list or any way to block that short of removing the applications once found. Is there a technique here I'm not aware of? Ted
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
