> > > If there is a malicious user or app on a network that someone is trying to > protect, isn't the very existence of these players the actual issue that > needs to be addressed? >
I tend to think this is the real issue. Any app can craft its own non-cleartext-DNS name resolution service; DoH makes it a bit easier perhaps, but not much (vis. JSON DNS, etc...). My suspicion is that controlling a network's DNS is less and less likely to be a decent control point for network security w.r.t. to the craftier apps. I'm sure the monitoring and interference with things looking up "really-evil.evil" still has some value. But much more sophistication is probably required nowadays to deal with even moderately competent adversaries...I suspect.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
