On Nov 22, 2018, at 2:03 AM, Vittorio Bertola <[email protected]> wrote: > > > >> Il 21 novembre 2018 alle 21.17 Christian Huitema <[email protected]> ha >> scritto: >> >> You make it sound like some aggressive attack, but it is a trade-off. >> The IETF is working to enhance the privacy of DNS users, > > I'd argue the opposite - what the IETF is doing is in the overall reducing > the privacy of DNS users, by trading some more privacy in transport with much > less privacy due to more centralization of DNS resolution operations on a > global scale, and to an uncontrollable mess of applications each one starting > to send DNS queries to whatever server they like without the user having any > practical control mechanism, or even knowing what's happening.
DoH did not suddenly allow browser vendors to do something new: they've been able to do exactly what DoH is standardizing for more than 20 years. Saying that the IETF is reducing the privacy is completely incorrect. What the DoH standard did is make it so that browser vendors (and, to a much smaller extent, web applications) could reach a larger variety of DNS servers in a standardize way. If you want to prevent over-centralization of queries going to a small number of large resolvers, you should be making it easier for resolver operators of all sizes to become DoH servers. It looks like your company is doing exactly that: thank you! >> and the >> authenticity of DNS responses. Doing so inevitably affects the >> operations that relied on the lack of privacy or lack of security of DNS >> operations. > > Well, no. Except for a few cases (e.g. transparent DNS proxying), DNS-based > security techniques do not rely on the "lack of privacy of DNS operations", > and the proof is that they would continue working perfectly well with DoT or > DoH, as long as the user continued to use the resolver on the local network. Saying that transparent DNS proxying (firewall capture and re-writing) is "a few cases" belies what people in the firewall industry have known for years: DNS rewriting (also known as "DNS lies") is an extremely popular feature in firewalls of all sizes. > Instead, DNS-based security techniques rely on the assumption that there will > be only one name server for all the applications on the user's device, and > that that server will be, at least by default, the one advertised by the > local network. If we had universal deployment of organizational VPNs, that could be true. Even after 20 years, we are sadly far from there. > This is the assumption that the IETF is disrupting, and that breaks a lot of > stuff that has full rights to exist and has nothing to do with invading the > user's privacy. Please stop with the "IETF is disrupting" stuff. No one forces anyone to use DoT or DoH. Both were features that the user communities asked for, and the user communities will ask for changes when they get deployed. > >> Also, if you analyze the enterprise scenarios, you observe a need for >> both management and privacy. Enterprise managers would rather not see >> employees perusing frivolous web pages during work time, but they also >> don't want outside parties to analyze their web activities. Leaking DNS >> usage patterns to third parties can reveal work in progress, internal >> research, etc. > > Which is exactly what happens if the enterprise's users start being > automatically connected to a DNS resolution service outside the local network > and managed by a third party, which is what DoH is doing. If a browser's use of DoH breaks its users resolution of organizational names, it will get fixed or turned off. (I'm betting on the latter, but others have more faith in the browser vendors fixing than I do.) --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
