On Fri, Apr 5, 2019 at 9:45 AM william manning
<chinese.apri...@gmail.com> wrote:
>
> Every now and then, Paul Vixie and I are in complete harmony.  In my current 
> slot, we are one of thousands of entities that are being held accountable to 
> a series of regulatory requirements that have significant fiscal impacts on 
> the exfiltration of private/patient data.  We are starting to focus on three 
> distinct areas to reduce the impact that DOH presents to our security 
> posture.  1) In contractual/proccurement language.  We have some "Must have" 
> items and now we will have "Must not" items.  2) There are at least two 
> technical options for tracking/blocking DOH which are being turned into 
> turnkey options to "swat" this covert C&C channel.  3) Aggressive Browser 
> Hygiene.
>
> This genie has not signed BAA or supplier agreement with us and we will not 
> allow it to dictate our business processes or affect our liability without 
> the DOH enabler shouldering fiscal and legal exposure when DOH is shown to be 
> the culprit in exposure of private data.  I can't see how DOH is going to 
> pass GDRP muster inside the EU either, but that is for others to debate.  I 
> have told my GDRP affected counterparts about the privacy risks with DOH 
> deployment.

You know you can just turn it off the same way you configure your
devices on your network. I also don't understand the GDRP issue you
raise: surely all DNS services have the same problems.

I'm more than happy to show you how to click the checkbox to turn it
off in Firefox. In fact there is a checkbox you need to click to turn
it on, and you can customize it at will. (I literally just checked)

> as usual, YMMV.
>
> /William Manning
>
> On Sun, Mar 10, 2019 at 8:26 PM nalini elkins <nalini.elk...@e-dco.com> wrote:
>>
>>  > Similarly, putting DNS in user space allows for immediate adoption of 
>> DNSSEC and privacy enhancements, even when the operating system or the local 
>> network does not support them
>>
>> At enterprises (banks, insurance, etc) on their internal networks, people 
>> run their own DNS servers which may resolve for both internal and external 
>> sites.
>>
>> We were recently talking to a Fortune 50 company in the United States about 
>> what might happen you install a version of the browser which uses 
>> DNS-over-HTTPS automatically.  (Clearly, this applies to any variant.)
>>
>> The questions that the Fortune 50 company architect asked were something 
>> like this:
>>
>> 1. You mean that DNS could be resolved outside my enterprise?
>>
>> 2. So whoever that is that resolves my DNS sees the pattern and frequency of 
>> what sites my company goes to?
>>
>> 3. How do I change this?
>>
>> I look forward to a discussion on this issue..    There will be at least one 
>> enterprise present in Prague to speak for themselves.  I will see if I can 
>> get others to participate remotely.
>>
>> It would be good to also discuss how to warn enterprises that this is about 
>> to happen.   I wonder if an announcement via CERT or another group may be 
>> appropriate.
>>
>> Thanks,
>> Nalini
>>
>> On Mon, Mar 11, 2019 at 6:36 AM Christian Huitema <huit...@huitema.net> 
>> wrote:
>>>
>>>
>>> On 3/10/2019 4:07 PM, Vittorio Bertola wrote:
>>> > Honestly, I understood it differently - at this point in time they are
>>> > doing tests on whether their resolver performs better or worse than
>>> > the system's one, but their announced model is that Firefox will adopt
>>> > a DoH resolver (though it's unclear how it will be chosen) and it will
>>> > just use that one. But if people from Mozilla could make a clearer
>>> > announcement on what their plans currently are, that would be good.
>>> > Still, most of the issues arise whenever an application, for whatever
>>> > reason and under any mechanism, starts to use one or more resolvers
>>> > different than the one set up in the operating system: even if it used
>>> > more than one, you would still get many of the issues listed in the
>>> > document (though, if it used more than one at the same time, I think
>>> > you'd actually also get some new specific issues, so we'd need to add
>>> > a discussion of this possibility).
>>>
>>>
>>> Your view of operating systems and applications is firmly rooted in
>>> history, which is another way to say in the past. The evolution in the
>>> past years points to a systematic deconstruction of that relation, with
>>> for example virtual machine, containers, or the trend to move network
>>> stacks out of the operating system and into the application. This is
>>> pretty obvious for security stacks, but it is also becoming very clear
>>> with QUIC and transport stacks. There are two big drivers: portability,
>>> and rapid adoption of innovation. These two drivers apply to DNS just
>>> like they apply to transport.
>>>
>>> Putting QUIC in application space allows for immediate provision of
>>> innovations like 0-RTT, head-of-queue blocking mitigation, or the better
>>> crypto of TLS 1.3. Similarly, putting DNS in user space allows for
>>> immediate adoption of DNSSEC and privacy enhancements, even when the
>>> operating system or the local network does not support them. That genie
>>> is not going back in the bottle any time soon.
>>>
>>> -- Christian Huitema
>>>
>>>
>>> _______________________________________________
>>> dns-privacy mailing list
>>> dns-priv...@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>
>>
>>
>> --
>> Thanks,
>> Nalini Elkins
>> President
>> Enterprise Data Center Operators
>> www.e-dco.com
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> dns-privacy mailing list
> dns-priv...@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to