On Monday, 11 March 2019 18:30:51 UTC Ted Hardie wrote:
> On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie <p...@redbarn.org> wrote:
> > DoH will moot that approach.
>
> Any system that actually checks the credentials presented by the responding
> server will also moot that approach.
yes! but it will fail "closed". thus, no unauthorized exfiltration risk will
exist.
> Given how easy it is to pin
> credential characteristics in applications distributed as binaries, this
> seems to mean that your method will either continue to permit applications
> other than browsers to use their own resolution systems or it will hard
> fail all such applications it can identify. No pass through will work, as
> far as I can tell, in that scenario.
that's precisely the goal, because very few network operators can preordain
the users and apps that will connect through their networks. to the extent
that monitoring ('dnstap') and controlling (DNS RPZ) dns lookups by connected
users and apps is considered a vital local security policy, attempts at such
"pass through" must be made to fail.
>
> Perhaps, though, I am missing something about your intent.
>
i think you've restated some key points of my position with perfect accuracy.
DoH wants to empower users and apps to make decisions about their RDNS which
cannot be interfered with by on-path actors such as their own network
operators. by doing this, DoH makes a false equivalence between a dissident
(who may be considered a criminal in some places) and a criminal (who is
always considered a criminal in most places) and private users in a hotel room
or coffee shop or on their home broadband connection, and malware which gets
inside a network and wants to avoid detection/mitigation while performing
lookups or exfiltration.
those are four very different things. demanding identical treatment for all of
them is, in the best possible interpretation, naive.
vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
