On 11/27/19, 9:55 AM, "dns-privacy on behalf of Neil Cook" <[email protected] on behalf of [email protected]> wrote: >> If you use DoH/DoT, it is because you don't trust the access network. >It says nothing about whether you trust the access network.
[JL] I agree with Neil. IMO the use of encrypted DNS is orthogonal to whether or not you trust your access network. For example, in the case of a user being concerned over the privacy of their queries to a public DNS that is a few hops off their ISP/enterprise/EDU/GOV network there are many networks that may or may not be trusted or even known by the end user. So suggesting that encryption of DNS is solely because of access network issues does not make sense - there are many reasons and many potential threats and risks where encryption may help that have nothing to do with that. >> Relying on it to >> indicate a DoH/DoT resolver is pointless. > You’re conflating the lack of trust in the access network with discovery. > Yes, if you don’t trust the access network then you may not want to use a > discovery protocol to indicate the best way to contact the resolver over > DoT/DoH. [JL] Today we have nothing but manually crafted whitelists, etc. So anything automated will be better IMO. A discovery mechanism just provides info though - it does not mandate trust or a particular OS or app/client decision. So a browser in one example can take the info from DHCP or similar automated discovery mechanism and take it as a useful bit of data or choose to ignore it, based on app or user decision. It would seem our job is to specify potential discovery mechanisms - each of which will come with pros/cons/risks (and none being perfect) for various use cases - and let the client/app or user decide what to do with that. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
