On Wed, 13 Mar 2019 at 16:10, Paul Vixie <[email protected]> wrote: > On Wednesday, 13 March 2019 19:23:55 UTC Erik Kline wrote: > > > If there is a malicious user or app on a network that someone is > trying to > > > protect, isn't the very existence of these players the actual issue > that > > > needs to be addressed? > > > > I tend to think this is the real issue. Any app can craft its own > > non-cleartext-DNS name resolution service; DoH makes it a bit easier > > perhaps, but not much (vis. JSON DNS, etc...). > > if you guys would appreciate a half day seminar on network security > economics, > in which the value of anomalousness will figure prominently, let's meet up. >
I'd be a fool to turn down such an offer. Thank you. > My suspicion is that controlling a network's DNS is less and less likely > to > > be a decent control point for network security w.r.t. to the craftier > > apps. > > your suspicion directly contradicts both my long-term and recent > experience. > > > I'm sure the monitoring and interference with things looking up > > "really-evil.evil" still has some value. But much more sophistication is > > probably required nowadays to deal with even moderately competent > > adversaries...I suspect. > > alas, meeting only the most competent adversaries is not a choice we can > make. > > vixie > > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
