On Thu, Apr 9, 2020 at 6:36 AM Sara Dickinson <[email protected]> wrote:
> > > On 9 Apr 2020, at 14:24, Eric Rescorla <[email protected]> wrote: > > > <snip> > > >>> How about making the last sentence a little more specific instead: >>> >>> If not, then (depending on the application and transport used for DNS >>> queries) users should take note that they may not be able to inspect the >>> DNS queries generated by such applications, or manage them to set >>> consistent application-level controls across the device for e.g. domain >>> based query re-direction or filtering. “ >>> >> >> If the feeling is that it is really needed then I would suggest text that >> is consistent with that used in section 3.5.2.1, for example: >> >> “ In addition, if a client device is compromised by a malicious >> application, the attacker can >> use application-specific DNS resolvers, transport and settings of its >> own choosing.” >> > > Sort of. This seems like it still buries the lede. > > "Note that if a client device is compromised by a malicious application, > the attacker can use application-specific DNS resolvers, transport and > settings of its own choosing and thus will not be affected by these > controls.” > > > By 'these controls’ do you mean any controls that the malicious > application appears to offer to the user? If so, then does this capture > your point: > > "Note that if a client device is compromised by a malicious application, > the attacker can use application-specific DNS resolvers, transport and > settings of its own choosing regardless of what DNS configuration the > malicious application may appear to offer the user (if any).” > No. My point is that the platform level DNS controls that you are trying to use don't work in this case. -Ekr > Sara. >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
