Moin!
On 12 Mar 2019, at 17:01, Stephane Bortzmeyer wrote:
On Tue, Mar 12, 2019 at 04:55:11PM +0100,
Neil Cook <neil.c...@noware.co.uk> wrote
a message of 22 lines which said:
Actually many enterprises (particularly banks etc.) do not allow DNS
resolution directly from employee endpoints.
They block UDP/53, which is not the same thing.
Well the DNS protocol has been defined on UDP and TCP port 53, so if you
block this, you block DNS. If you add TCP/853 into the mix you block DNS
over TLS, all of which is relative easy for an enterprise to do.
Malware or
non-cooperating applications can do name resolution by other means. I
still do not understand why people have a problem with DoH whch did
not already exist before with
my-own-name-resolution-protocol-over-HTTPS.
A malware doing something specific to it is different than an IETF
standard and application providers taking this standard (DoH) to switch
a basic internet function (name lookups) without the users consent which
are due to using HTTPs/443 harder to block for enterprises. It is a
pretty clear difference.
So long
-Ralf
—--
Ralf Weber
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
