Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

[JASON BOTHE via NANOG <nanog () nanog org>]

The enterprise as well. I’m certain many are blindly unaware as this could have negative impacts beyond traditional 
control. 

J~

> On Mar 11, 2020, at 20:43, Owen DeLong <owen () delong com> wrote:
>
> 
>
> > On Mar 11, 2020, at 18:31 , Rubens Kuhl <rubensk () gmail com> wrote:
> >
> >
> >
> > > On Tue, Mar 10, 2020 at 5:30 PM Owen DeLong <owen () delong com> wrote:
> > > For anyone considering enabling DOH, I seriously recommend reviewing Paul Vixie’s keynote at SCaLE 18x Saturday 
> > > morning.
> > >
> > > https://www.youtube.com/watch?v=artLJOwToVY
> > >
> > > It contains a great deal of food for thought on a variety of forms of giving control over to corporations over 
> > > things you probably don’t really want corporations controlling in your life.
> >
> > Depends on your threat model: ISPs, Big Tech companies, State-level actors, random hacker at the same Wi-Fi network. 
> > The problem with DoH is that software developer picks the threat model he or she thinks is most relevant, and 
> > applies to all use cases. 
> >
> > Solution is to ask user what is the user threat model and apply it. DoH/DoT are not harmful per se, their 
> > indiscriminate usage is. 
> >
> >
> > Rubens
>
> Yes and no…
>
> DOH isn’t inherently bad, but every implementation of DOH that I am aware of involves depriving the user of choice 
> and/or control and also depriving network operators of the ability to enforce the “my network, my rules” concept.
>
> While I realize some may argue that this is desirable in some instances, understand that I’m not talking about the 
> ISP level, but even within the home. Parents should be able to enforce DNS policy on their children, for example. DOH 
> allows the average child to generally bypass any such limitations. Worse, most parents are unlikely to even realize 
> that this is the case.
>
> Owen