On Wednesday, 13 March 2019 19:23:55 UTC Erik Kline wrote: > > If there is a malicious user or app on a network that someone is trying to > > protect, isn't the very existence of these players the actual issue that > > needs to be addressed? > > I tend to think this is the real issue. Any app can craft its own > non-cleartext-DNS name resolution service; DoH makes it a bit easier > perhaps, but not much (vis. JSON DNS, etc...).
if you guys would appreciate a half day seminar on network security economics, in which the value of anomalousness will figure prominently, let's meet up. > My suspicion is that controlling a network's DNS is less and less likely to > be a decent control point for network security w.r.t. to the craftier > apps. your suspicion directly contradicts both my long-term and recent experience. > I'm sure the monitoring and interference with things looking up > "really-evil.evil" still has some value. But much more sophistication is > probably required nowadays to deal with even moderately competent > adversaries...I suspect. alas, meeting only the most competent adversaries is not a choice we can make. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop