| From a presentation he's done on DoH (he's done a few): > 2. DoH creates a new class of exfiltration risks […] > When DNS traffic goes through the HTTPS port, it becomes completely indistinguishable from web traffic, or as Paul said, “paints us all with the same brush.” It is this lack of visibility where the trouble happens. Consider a CISO who wants to use DNS as a strategy to protect their network. Or consider a network team who need to block or sinkhole traffic. With DoH, that’s not possible. > Since DoH changes the security perimeter and controls that were once possible with conventional DNS, this a potential vulnerability that bad actors can exploit. Paul’s biggest concern is “every botnet from now on is going to be coded to use DoH.” That will cause headaches for everyone in a company’s IT organization. > Most quotable moment: “What we’ve done here is to create a new class of exfiltration risk that we can expect every intruder whether hardware, software or [meetware 00:56:41] is going to be using “ – Paul Vixie * https://bluecatnetworks.com/blog/3-takeaways-from-the-dns-ov... Vixie has been doing DNS since ~1998, wrote/maintained BIND 8, co-founded ISC (which maintains BIND 9 and DHCPd), and a bunch of other Internet-y stuff such that he's in the Internet Hall of Fame: * https://www.internethalloffame.org/inductees/paul-vixie See also "DoH Policy Conference - The Consequences of Encrypting DNS": * https://www.youtube.com/watch?v=9CKxIHSlfgg From some BSD conferences: * https://www.youtube.com/watch?v=ZxTdEEuyxHU * https://www.youtube.com/watch?v=8SJorQ9Ufm8 |