> On 12 Mar 2019, at 17:01, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
>
> On Tue, Mar 12, 2019 at 04:55:11PM +0100,
> Neil Cook <neil.c...@noware.co.uk> wrote
> a message of 22 lines which said:
>
>> Actually many enterprises (particularly banks etc.) do not allow DNS
>> resolution directly from employee endpoints.
>
> They block UDP/53, which is not the same thing. Malware or
> non-cooperating applications can do name resolution by other means. I
> still do not understand why people have a problem with DoH whch did
> not already exist before with
> my-own-name-resolution-protocol-over-HTTPS.
Sure, but the malware has to go to a specific server which can be identified
and blocked. For any companies implementing a “whitelist-only” security-policy,
this is straightforward. Even without, these kinds of requests can be spotted
as anomalies etc.
This is a different scenario then a DoH server co-located with e.g. youtube.com
<http://youtube.com/> or whatever, which is a little harder to block (by design
as P. Vixie has pointed out).
Neil
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
