On Fri, Apr 5, 2019 at 9:45 AM william manning <chinese.apri...@gmail.com> wrote: > > Every now and then, Paul Vixie and I are in complete harmony. In my current > slot, we are one of thousands of entities that are being held accountable to > a series of regulatory requirements that have significant fiscal impacts on > the exfiltration of private/patient data. We are starting to focus on three > distinct areas to reduce the impact that DOH presents to our security > posture. 1) In contractual/proccurement language. We have some "Must have" > items and now we will have "Must not" items. 2) There are at least two > technical options for tracking/blocking DOH which are being turned into > turnkey options to "swat" this covert C&C channel. 3) Aggressive Browser > Hygiene. > > This genie has not signed BAA or supplier agreement with us and we will not > allow it to dictate our business processes or affect our liability without > the DOH enabler shouldering fiscal and legal exposure when DOH is shown to be > the culprit in exposure of private data. I can't see how DOH is going to > pass GDRP muster inside the EU either, but that is for others to debate. I > have told my GDRP affected counterparts about the privacy risks with DOH > deployment.
You know you can just turn it off the same way you configure your devices on your network. I also don't understand the GDRP issue you raise: surely all DNS services have the same problems. I'm more than happy to show you how to click the checkbox to turn it off in Firefox. In fact there is a checkbox you need to click to turn it on, and you can customize it at will. (I literally just checked) > as usual, YMMV. > > /William Manning > > On Sun, Mar 10, 2019 at 8:26 PM nalini elkins <nalini.elk...@e-dco.com> wrote: >> >> > Similarly, putting DNS in user space allows for immediate adoption of >> DNSSEC and privacy enhancements, even when the operating system or the local >> network does not support them >> >> At enterprises (banks, insurance, etc) on their internal networks, people >> run their own DNS servers which may resolve for both internal and external >> sites. >> >> We were recently talking to a Fortune 50 company in the United States about >> what might happen you install a version of the browser which uses >> DNS-over-HTTPS automatically. (Clearly, this applies to any variant.) >> >> The questions that the Fortune 50 company architect asked were something >> like this: >> >> 1. You mean that DNS could be resolved outside my enterprise? >> >> 2. So whoever that is that resolves my DNS sees the pattern and frequency of >> what sites my company goes to? >> >> 3. How do I change this? >> >> I look forward to a discussion on this issue.. There will be at least one >> enterprise present in Prague to speak for themselves. I will see if I can >> get others to participate remotely. >> >> It would be good to also discuss how to warn enterprises that this is about >> to happen. I wonder if an announcement via CERT or another group may be >> appropriate. >> >> Thanks, >> Nalini >> >> On Mon, Mar 11, 2019 at 6:36 AM Christian Huitema <huit...@huitema.net> >> wrote: >>> >>> >>> On 3/10/2019 4:07 PM, Vittorio Bertola wrote: >>> > Honestly, I understood it differently - at this point in time they are >>> > doing tests on whether their resolver performs better or worse than >>> > the system's one, but their announced model is that Firefox will adopt >>> > a DoH resolver (though it's unclear how it will be chosen) and it will >>> > just use that one. But if people from Mozilla could make a clearer >>> > announcement on what their plans currently are, that would be good. >>> > Still, most of the issues arise whenever an application, for whatever >>> > reason and under any mechanism, starts to use one or more resolvers >>> > different than the one set up in the operating system: even if it used >>> > more than one, you would still get many of the issues listed in the >>> > document (though, if it used more than one at the same time, I think >>> > you'd actually also get some new specific issues, so we'd need to add >>> > a discussion of this possibility). >>> >>> >>> Your view of operating systems and applications is firmly rooted in >>> history, which is another way to say in the past. The evolution in the >>> past years points to a systematic deconstruction of that relation, with >>> for example virtual machine, containers, or the trend to move network >>> stacks out of the operating system and into the application. This is >>> pretty obvious for security stacks, but it is also becoming very clear >>> with QUIC and transport stacks. There are two big drivers: portability, >>> and rapid adoption of innovation. These two drivers apply to DNS just >>> like they apply to transport. >>> >>> Putting QUIC in application space allows for immediate provision of >>> innovations like 0-RTT, head-of-queue blocking mitigation, or the better >>> crypto of TLS 1.3. Similarly, putting DNS in user space allows for >>> immediate adoption of DNSSEC and privacy enhancements, even when the >>> operating system or the local network does not support them. That genie >>> is not going back in the bottle any time soon. >>> >>> -- Christian Huitema >>> >>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-priv...@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >> >> >> >> -- >> Thanks, >> Nalini Elkins >> President >> Enterprise Data Center Operators >> www.e-dco.com >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > dns-privacy mailing list > dns-priv...@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop