DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users
Owen DeLong
owen at delong.com
Thu Mar 12 01:42:43 UTC 2020
> On Mar 11, 2020, at 18:31 , Rubens Kuhl <rubensk at gmail.com> wrote:
>
>
>
> On Tue, Mar 10, 2020 at 5:30 PM Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
> For anyone considering enabling DOH, I seriously recommend reviewing Paul Vixie’s keynote at SCaLE 18x Saturday morning.
>
> https://www.youtube.com/watch?v=artLJOwToVY <https://www.youtube.com/watch?v=artLJOwToVY>
>
> It contains a great deal of food for thought on a variety of forms of giving control over to corporations over things you probably don’t really want corporations controlling in your life.
>
>
> Depends on your threat model: ISPs, Big Tech companies, State-level actors, random hacker at the same Wi-Fi network. The problem with DoH is that software developer picks the threat model he or she thinks is most relevant, and applies to all use cases.
>
> Solution is to ask user what is the user threat model and apply it. DoH/DoT are not harmful per se, their indiscriminate usage is.
>
>
> Rubens
>
Yes and no…
DOH isn’t inherently bad, but every implementation of DOH that I am aware of involves depriving the user of choice and/or control and also depriving network operators of the ability to enforce the “my network, my rules” concept.
While I realize some may argue that this is desirable in some instances, understand that I’m not talking about the ISP level, but even within the home. Parents should be able to enforce DNS policy on their children, for example. DOH allows the average child to generally bypass any such limitations. Worse, most parents are unlikely to even realize that this is the case.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200311/314d28e0/attachment.html>
More information about the NANOG
mailing list