Matthew > On 19 Mar 2019, at 01:50, Matthew Pounsett <m...@conundrum.com> wrote: > > Somewhere up-thread it was suggested that there are other reasonable steps > that a network/security operator can take to maintain the controls over > resolution that we have today, but so far I haven't seen them enumerated > anywhere. >
I had stated that one can use an MDM to manage the endpoint’s use of DoH. This doesn’t eliminate the possibility of malware, but does reduce misconfiguration in the enterprise, and provides for some protection against infection by blocking known bad names. In addition, there’s at least a heuristic for detection: compare data plane activity against ANSWERs. If you’re seeing activity to addresses that don’t match (modulo some noise), you know an alternate resolver is active on that device. And while it’s possible for malware to mimic queries to Do53 for Good sites versus what it really wants to access, you start tarnishing the rep of the IP address as and when you detect the problem through other means (AV s/w, honey pots, binary inspection, et al). That leaves it with cloud providers to sort their wagons. It might also be possible to whitelist ANSWERs into iptables. I wrote the code for that for a dnscap plugin some years ago, and you could even play with it if you want (it’s on GitHub), but I’m not suggesting it’s a good general answer (it was intended for a very specific use case involving relatively few domains for (hopefully cooperating) IoT devices). As you point out, it won’t tackle shared IP addresses, and quite frankly, little CPE gear won’t scale with a gazillion iptables entries (I’m not sure big gear would either). Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
