Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-02-01 Thread Michael Richardson
On 2021-01-18 4:27 p.m., John Levine wrote: They think DoH is swell, but not when it bypasses security controls and leaks info to random outside people Sage advice. In the OPSAWG where RFC8520 (MUD) currently lives, we are trying to codify advice to to IoT manufacturers about these things.

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-22 Thread Stephane Bortzmeyer
On Mon, Jan 18, 2021 at 04:27:20PM -0500, John Levine wrote a message of 18 lines which said: > They think DoH is swell, but not when it bypasses security controls > and leaks info to random outside people I will certainly do as the NSA says, since they are experts in privacy-related issues

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-22 Thread Vladimír Čunát
On 1/22/21 3:10 AM, Tom Pusateri wrote: Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Another missing part is privacy, i.e. even if you get exactly the same answers, it doesn't imply you get similar (privacy)

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-21 Thread Paul Vixie
On Thu, Jan 21, 2021 at 09:10:25PM -0500, Tom Pusateri wrote: > > > On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote: > > > > (new behaviour should require new signalling. let networks who want to > > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > > signal this by adding a

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-21 Thread Tom Pusateri
> On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote: > > On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: >> "John Levine" writes: >> >>> They think DoH is swell, but not when it bypasses security controls >>> and leaks info to random outside people >> >> At least 15% of network

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-21 Thread Paul Vixie
On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: > "John Levine" writes: > > > They think DoH is swell, but not when it bypasses security controls > > and leaks info to random outside people > > At least 15% of network operators seem to agree. > >

Re: [DNSOP] NSA says don't use public DNS or DoH servers

2021-01-21 Thread Wes Hardaker
"John Levine" writes: > They think DoH is swell, but not when it bypasses security controls > and leaks info to random outside people At least 15% of network operators seem to agree. https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html -- Wes Hardaker USC/ISI

[DNSOP] NSA says don't use public DNS or DoH servers

2021-01-18 Thread John Levine
They think DoH is swell, but not when it bypasses security controls and leaks info to random outside people >From the summary: Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA