On Dec 16, 2019, at 3:55 AM, Vladimír Čunát <[email protected]> wrote: > On 12/16/19 12:22 PM, Vittorio Bertola wrote: >> Incidentally, though it is much easier said than done, I think that being >> able to apply different trust models to different types of networks, so that >> the OS/application behaves differently when you connect to a random wi-fi in >> a cafe than when you connect to the usual network in your home, would really >> help in finding possible middle grounds in terms of deployment models. > > Trust model: I could imagine each client having a pre-configured *list* > of TLS-certificate names trusted for the purpose of encrypted DNS. You > might add your ISP's in there or you might not. > > Then address+port+protocol from DHCP (or any insecure magic) seems fine > to me - it only matters whether it "matches" an item on the list... > otherwise there would fallback to a public service. For example, some > items of the list would also have a configured IP, or perhaps even > bootstrapping with the untrusted DNS could be done.
Exactly that, yes. Said another way: the network coiuld send you to a malicious DoH/DoT server via the network's DHCP advertisement, or the network could send your queries to a malicious host (by routing the packets towards the malicious host). Both attacks are solved the same way: by validating the certificate presented in the TLS handshake. Throwing out DHCP and RA advertisements of DNS won't get us to a happy place, it will get us to vendors building TLS ALPN routing and port routing and lots of other stuff, in order to deliver split-horizon DNS and .local resolution and DNS filtering and avoiding round-trips to corporate HQ's DNS server. > Of course, here I'm not trying to address what exactly is the client (I > personally prefer OS level) and how exactly the choice is exposed to the > human users (a hard question). Yes, there are difficult questions and answers there. But when I visit a branch office of my company, I would like to use the local DNS belonging to my company (split horizon DNS, thanks) rather than suffering the round-trip to corporate HQ. -d _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
