> Il 19 agosto 2018 alle 19.02 Doug Barton <[email protected]> ha scritto: > And Jason, you missed a threat model, which is users who want to bypass their > ISP's resolver.
I think that there should be a lot more attention to this "use case" in this discussion. It seems to me that the designers of DoH have in their minds a romantic picture of the dissident in some authoritarian country trying to escape censorship and save her own life, so that being able to bypass the local ISP, obviously run by evil government cronies, would be a good thing. However, in most of the world, the reality is that the biggest motivation for people to try bypassing the ISP's resolver is to access illegal Web content that has been filtered out at the DNS level, such as unauthorized gambling websites, illegal pornography, "free" football live streams (which are usually full of malware), etc. - not to mention bots trying to contact their command and control server without incurring into RPZ-based filtering. If I accepted Ted Lemon's point that publishing a proposed standard (like DoH) implies active endorsement by the IETF, I would wonder why the IETF is actively endorsing a standard that will make this much easier. > I agree that encrypting from the CMTS to the local resolver isn't that > valuable, since (unless I'm missing something) the ISP is the only one > that can see that traffic, and they'll be able to log/manipulate the > resolver already. So it's unlikely that an ISP would deploy DOH or DOT > in the first place, so the idea of a DHCP option to support it isn't > necessarily relevant in that environment. That doesn't mean it's not > relevant elsewhere. Well, if I were an ISP, I'd rush to deploy DoH on my consumer resolver so to deprive the browser makers of the excuse "we are redirecting by default your DNS traffic to us because we encrypt it and your ISP does not". I agree that technically speaking there is not a lot of need for this, but DoH (more precisely: the upcoming deployment of DoH in the browsers) is mostly a business and marketing issue, not a technical one. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange [email protected] Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
