David Conrad wrote on 2019-02-12 10:14:
Paul,
On Feb 12, 2019, at 8:32 AM, Paul Vixie <p...@redbarn.org
<mailto:p...@redbarn.org>> wrote:
DoH is _dangerous_ because it's my network and i require all visitors,
family members, employees, and apps to use the control plane i have
constructed, which includes DNS surveillance and control.
Why don’t you force folks on your network to install a certificate that
would allow you to inspect TCP/443 outbound traffic? How can you be
sure folks on your network aren’t already tunneling their evil deeds
through HTTPS?
netflow. such traffic _looks_ abnormal.
the deliberate design premise of DoH is that it look normal.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop