Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-06 06:37:54, Matt Harris via mailop wrote: > > If said fascist regime has decided to muddle their DNS > infrastructure by serving bogus authoritative responses for some set > of domains they don't like, why would anyone think they wouldn't > just set up " use-application-dns.net" to force end-users to > continue to use their DNS servers which implement that blocking, > too? > On this episode of What Could Possibly Go Wrong: we use a centralized, government-controlled database of who's good and bad to fight fascism. Guess who's hanging out in your browser's root CA store? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-06 06:39, Jaroslaw Rafa via mailop wrote: Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? Yes, really. In a previous life I worked for Nortel in network security. You may have heard of it. We used it internally and were spinning up products (I was involved in functional specification writing) around it over a decade ago. Proofpoint and Microsoft, for example, have major anti-malware products based around it, and you'd be surprised at "big 5" level entities who are using them internally. Then of course there's RPZ. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy, Holidays Everyone!)
On 7/6/20 4:00 AM, Jaroslaw Rafa wrote: > But is content filtering - especially in corporations - really based on DNS? Yes. There's a big company, Cisco (you may have heard of them) which bought OpenDNS and which is aggressively pushing their DNS-based filtering service (called Umbrella) as part of a 360-degree security portfolio. People are buying it left and right. And for people who like the idea but who don't like Cisco (or don't want to pay for it), Quad9 is ready to offer the same service. RFC purists can argue all they want about how DNS filtering is bad, erodes trust, breaks DNSSEC, etc, but no one cares. So, yeah, content filtering is based on whatever we can get our hands on because we are being overwhelmed by the bad guys. No matter what technical or political or philosophical barriers people are putting in place, IT managers in enterprises are stressed to the max and will accept these types of solutions to help reduce their security risk. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Mon, Jul 6, 2020 at 3:48 AM Vittorio Bertola via mailop <
mailop@mailop.org> wrote:
>
> The bad idea is taking an extremely marginal use case ("there is a
> dissident in a third world country whose government is blocking access to
> Wikipedia via DNS and we want to circumvent that block") and using it as an
> excuse to break by default almost any DNS-based monitoring, debugging,
> security and access control mechanism for any local network anywhere, also
> making sure that the four browser makers that control >90% of the world's
> browsers get to choose who is allowed to provide DNS resolution to their
> users (including doing it themselves or requiring DNS providers to strike
> business deals with them before allowing them into their list).
>
If said fascist regime has decided to muddle their DNS infrastructure by
serving bogus authoritative responses for some set of domains they don't
like, why would anyone think they wouldn't just set up "
use-application-dns.net" to force end-users to continue to use their DNS
servers which implement that blocking, too? I don't see how this case makes
any sense whatsoever. Dissidents in fascist regions need to be using
something like Tor, there's no logical argument here that pushing DoH as a
default setting will help them in any meaningful way. Indeed, if they are
found to be accessing the IP addresses associated with sites the regime
does not like despite the DNS blocks, they may even end up getting into
serious trouble, since DoH does nothing whatsoever to obscure or proxy the
traffic being sent to those addresses, and there's no reason the regime
could not monitor TCP connections at their international edge as well and
keep a running list of those addresses.
If that's the argument for DoH being a default setting, then it's not only
a bad argument, it's a patently dangerous one. If they are advertising this
to people living under oppressive governance as a means by which to
circumvent local policies regarding prohibited internet content, then
that's downright irresponsible.
Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Hello Jaroslaw, On 06.07.20 12:39, Jaroslaw Rafa via mailop wrote: > But is content filtering - especially in corporations - really based on DNS? yes. That's why systems like https://pi-hole.net/ exist, even for home users. In Germany ISPs were even forced by lawmakers to block specific DNS hostnames from resolving some years ago, because they thought it was an option to block access to unlawful websites. Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: > >>Not to mention DNS over HTTPS breaks or renders ineffective most > >>types of content filtering. > > >That's a secondary concern perhaps. I'm betting 99% of users don't > >have content filtering and don't want it. > > Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? In my previous job, I worked a bit with UTMs and other content filtering devices. None of them was based on DNS. They used URIBLs, signatures similarly to antivirus applications, and some bayesian or other heuristics to block content. Yes, there was that primitive and old method of content filtering, by putting domain names of unwanted hosts into /etc/hosts file (or equivalent in Windows) pointing eg. to 127.0.0.1. It was quite popular some years ago, but I thought nobody is using this anymore now... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> Il 06/07/2020 09:41 Andrew C Aitchison via mailop ha
> scritto:
>
> I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH
> (technically I don't like it, but I sympathize with the philosophical
> idea) but that doesn't explain why DoH itself is a bad idea.
DoH is not a bad idea in itself (though, well, it is not a very significant
progress for the people that use a resolver from their local network or ISP,
which are the broad majority, as attacks on DNS traffic on the local loop are
not common at all).
The bad idea is taking an extremely marginal use case ("there is a dissident in
a third world country whose government is blocking access to Wikipedia via DNS
and we want to circumvent that block") and using it as an excuse to break by
default almost any DNS-based monitoring, debugging, security and access control
mechanism for any local network anywhere, also making sure that the four
browser makers that control >90% of the world's browsers get to choose who is
allowed to provide DNS resolution to their users (including doing it themselves
or requiring DNS providers to strike business deals with them before allowing
them into their list).
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Sun, 5 Jul 2020, Chris Lewis via mailop wrote: On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. Impossible for them, short of blocking HTTPS for everything. I was going to suggest that the canary domain "use-application-dns.net" https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet means that corporate IT can disable DoH without blocking all HTTPS, but I see that "this only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves." Jay R. Ashworth also wrote: Everything on a machine should use the same OS provided facility for looking up DNS. I see no reason why the OS couldn't use DoH. Ubuntu dynamically rewrites resolv.conf every time I re-plug my ethernet cable so adding DoH to the mix isn't going to add much complexity. https://github.com/fanf2/doh101 includes a simple script to make requests over DoH, so you aren't limited to browsers. Additionally, nearly as I can tell, the aptly named D'oH is solving a problem that *users* don't have. But that's a separate issue. My impression is that the ordinary user either doesn't have, or doesn't think that they have, problems that DoH addresses, but that there is a small group of users who have reason to distrust the default DNS provider and should be allowed to choose their own. I use DoH with Firefox for android as it is the easiest way to override my ISP's net nanny DNS (which I want for my small son). I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH (technically I don't like it, but I sympathize with the philosophical idea) but that doesn't explain why DoH itself is a bad idea. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Chris via mailop" > On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: > >> An argument I could tolerate -- corporate IT types can be expected to >> diagnose >> smartly enough to deal with it... though it will still make things more >> difficult for them. > > Impossible for them, short of blocking HTTPS for everything. It's possible you might have misunderstood my concern. If I'm an IT type, and I'm trying to diagnose why *you* can't get to a website, all my other tools -- which were built atop the system DNS resolver -- are likely going to give me false negatives... as the telco guys used to say, "the trouble's leaving here fine!" I can't *tell* why your problem is happening, because I don't have diagnostic tools built atop D'oH *and* configured for what invisible server your browser is using to do lookups -- which might be different from browser to browser. In short, this multiplies the complexity of diagnosing an everyday problem... and the complexity of my monitoring system actually *monitoring* anything... by between .5 and 2 orders of magnitude. That's an added workload for which my permission was neither sought nor granted, nor has my budget or staffing been increased. It is merely the latest (the adoption of systemd by substantially *all* the Linux distros being one of the earliest) example of small decisions with Big Impacts being taken in a fashion which seems to me not-at-ALL engineering driven... which is the way both Linux and the Internet *used* to run... which is how they got here. I really actually don't get it. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. Impossible for them, short of blocking HTTPS for everything. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Andy Ringsmuth via mailop" >> On Jul 5, 2020, at 6:00 AM, Adam Moffett via mailop >> wrote: >>> Not to mention DNS over HTTPS breaks or renders ineffective most types of >>> content filtering. >>> >> That's a secondary concern perhaps. I'm betting 99% of users don't have >> content >> filtering and don't want it. > > As a parent, I ABSOLUTELY want content filtering. And as a sysadmin for > $DAYJOB > I want it as well. Sure. And no one wants you not to have it. But that's a strawman, a couple clicks to the left of the argument "should browsers unilaterally deploy a replacement for DNS", for which the engineering answer remains "hell, no". Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Chris via mailop" > On 2020-07-05 07:00, Adam Moffett via mailop wrote: >>> Not to mention DNS over HTTPS breaks or renders ineffective most types >>> of content filtering. > >> That's a secondary concern perhaps. I'm betting 99% of users don't have >> content filtering and don't want it. > > Corporates need it. Not all users are retail. An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. But this argument does *not* justify Mozilla offering it to me -- as a default choice no less -- on new fresh installs. As they are. Cheers, - jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> On Jul 5, 2020, at 6:00 AM, Adam Moffett via mailop wrote: > > >> >> Not to mention DNS over HTTPS breaks or renders ineffective most types of >> content filtering. >> >> >> -Andy >> > That's a secondary concern perhaps. I'm betting 99% of users don't have > content filtering and don't want it. > As a parent, I ABSOLUTELY want content filtering. And as a sysadmin for $DAYJOB I want it as well. -Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-05 07:00, Adam Moffett via mailop wrote: Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. Corporates need it. Not all users are retail. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
In article you write: >>Not to mention DNS over HTTPS breaks or renders ineffective most types of >>content filtering. >That's a secondary concern perhaps. I'm betting 99% of users don't have >content filtering and don't want it. When the content being filtered is phish and malware, you bet they do. On my network, I filter a lot of ad providers. My users don't seem to miss them. Doing at the DNS level seems to avoid a lot of those "turn off your ad blocker" popups. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. -Andy That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> On Jul 4, 2020, at 2:52 PM, Jay R. Ashworth via mailop > wrote: > > - Original Message - >> From: "Andrew C Aitchison via mailop" > >> On Tue, 30 Jun 2020, Michael Peddemors via mailop wrote: >> >>> * Stop promoting DNS over HTTPS as a good thing.. ;) >> >> Care to elaborate ? > > Sure. At it's most fundamental level, giving web browsers a different way to > do DNS lookups overcomplicates debugging of problems by at least a couple > orders of magnitude, even before you multiply it by "trying to get a straight > answer out of the end user". > > Everything on a machine should use the same OS provided facility for looking > up DNS. > > Additionally, nearly as I can tell, the aptly named D'oH is solving a problem > that *users* don't have. But that's a separate issue. Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. -Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Andrew C Aitchison via mailop" > On Tue, 30 Jun 2020, Michael Peddemors via mailop wrote: > >> * Stop promoting DNS over HTTPS as a good thing.. ;) > > Care to elaborate ? Sure. At it's most fundamental level, giving web browsers a different way to do DNS lookups overcomplicates debugging of problems by at least a couple orders of magnitude, even before you multiply it by "trying to get a straight answer out of the end user". Everything on a machine should use the same OS provided facility for looking up DNS. Additionally, nearly as I can tell, the aptly named D'oH is solving a problem that *users* don't have. But that's a separate issue. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
