On Fri, Mar 22, 2019 at 11:15 AM Winfield, Alister <Alister.Winfield= 40sky...@dmarc.ietf.org> wrote:
> > Don't overplay the privacy provided by DoH it has no effect on the DNS > provider The major effect of the transport security on the privacy practices of the provider is that it allows the client to authenticate the provider. Trust in their privacy practices needs to be establish some other way (and the best way we have right now is 'out of band' - hopefully that gets better) - but with DoH you can be confident that you're having a private conversation with the entity you've decided to trust. That's a pretty big distinction from port 53. Without that assurance its reasonable to be concerned about what names you lookup. This of course applies to local and enterprise configs as well as the cloud configs contemplated by most of this thread. An enterprise DoH server expresses and enforces a policy - if an application needs to use that policy it should be comforted in transport security providing confirmation that it is doing so rather than reading in whatever might be showing up on port 53.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop