Paul Vixie and Peter Lowe on Why DoH is Politically Motivated

DNSFilter and Farsight Security (now acquired by DomainTools) teamed up on November 9th to discuss DNS encryption, with a special emphasis on DNS-over-HTTPS, or DoH. Below is a full transcript of the webinar. In this webinar, Paul Vixie and Peter Lowe tackle the political motivations behind DoH and why it's the most popular encryption method at the moment—and why other methods may be more favorable.

If you prefer to watch the full webinar, you can fill out the form to watch it here.

‍

Mike Sutton: We are about to get started in just a minute or so here. Give people a chance to come into the room, get set up. We do have the chat and the Q&A open, so feel free to start making your comments right away, and just say hi that you're checking in. We're expecting pretty good turnout for the webinar today. We've got an exciting topic with some big names in the industry. Looking forward to delivering some good content here today. Like I said, we'll get started in just a minute. And so you all have an opportunity to get into the room and get settled a little bit, arrange all your windows, make sure you can hear us. (silence) All right, ready to get started guys?

Paul Vixie: Bring it on.

Mike Sutton: Got a couple introductions here. So our first panelist is a privacy advocate and curator of Peter Lowe's Ad and Tracking Server List. Our very own head of domain intelligence here at DNSFilter, Peter Lowe. Peter, what is domain intelligence?

Peter Lowe: It's a shortened term for threat intelligence and content classification. So it basically refers to what we know about domains at DNSFilter. And I came up with it because I was tired of saying that long phrase all the time.

Mike Sutton: So you were the first head of domain intelligence in the world?

Peter Lowe: I'm not going to make that claim. But maybe.

Mike Sutton: All right. Sounds good. Also, joining the panel today is internet pioneer and DNS thought leader, co-founder of Farsight Security and internet Hall of Fame inductee for work related to DDS and DNSSEC, Dr. Paul Vixie. Welcome, Paul.

Paul Vixie: Thank you. I'm very happy to be here.

Mike Sutton: So having been involved DNS for a very long time, pretty much since the beginning, when did you know that the internet was really going to be something that people are into? A success, if we can call it that.

Paul Vixie: So it was successful from its earliest days, because its mission was very small in the early days. But I think I realized it would win the war against OSI X.25, and all that stuff. And that it was going to become the backbone of human commerce and interaction in about 1994, '95. When NSF decided to commercialize and privatize it, and get the government out of the networking business. That is when I could see, "Okay, we're on greased rails. This thing's going everywhere. It's going to take over everything."

Mike Sutton: And how surprised are you even now looking back? Do you think you nailed it or was it under estimating even then?

Paul Vixie: I didn't foresee social networking. At the time that this was 1994, '95 Usenet still existed. The web was just coming into sort of the point where you could get phpBB forums and so forth. And so I really thought it was going to remain distributed. The idea that we would have just a handful of big tech companies with this thing called social networking that was going to take over everything, I didn't foresee that. And I was not on the AltaVista team, but it came from the same team that I had worked at Digital Equipment.

Paul Vixie: And AltaVista badly lost the war, even though they were first. And I think the big reason for that is that they thought you should sell banner ads. They didn't realize that the queries themselves could be used to build profiles and optimize advertising. That's something Google came along with and kicked ass. So I got to say, a lot of us who were around in the early times, completely missed what was going to be important and how it was going to get paid for.

Mike Sutton: It's been an exciting ride, I imagine.

Peter Lowe: I can say, I haven't been around as long as Paul. But around '95 is when I started getting involved in the internet. And I remember thinking to myself, "Oh, my God, this is amazing." And I actually quit my school to go work for an internet company. I think it was a terrible idea at the time, because there were a really good school for traditional subjects, but I just fell in love with it. And I think I was sort of born at just the right time, because I kind of hopped on board when everything started blowing up. 

Mike Sutton: I've been a little more on the programming side. I think I got my first AOL disc in The mail in '94.

Peter Lowe: Who didn't get one of them? Who didn't get one?

Mike Sutton: So we're here to talk about DNS Security. These kinds of topics, our audience is generally very interested in, the more technical are. So Peter, you want to kick this off with just a high level overview of the options and where DOH fits in the conversation?

Peter Lowe: Sure. I can try. So one of the problems with the internet at the moment is that DNS is one of the fundamental protocols, which runs the internet, which is largely unencrypted. And to try and solve this, there have been a bunch of different solutions put forward. And the current two most popular are DNS over TLS, and DNS over HTTPS. They both use TLS under the hood, I think as well, kind of. And DOH is perhaps a bit more... DOH is implemented at the application lay out. Which means that you can configure it in a browser or in an application, but also at the operating system level as well. It sends a DNS query over a standard HTTPS connection. DNS over TLS connects to its own port. And it's separated out that way. It's very high level and probably an accurate summary.

Mike Sutton: We'll get into a few more details anything you want to add Paul?

Paul Vixie: I think you could tell a lot about DOH by looking at the name of the IETF working group, where it is discussed. And that is ADD, used to stand for Applications Doing DNS. So I think the original threat model is that if you're a browser, you can't trust anybody. Because either your host based firewall, your web ad filter, could be all kinds of things that happen to your DNS queries inside the operating system that the browser is running on. If you allow that operating system to see your queries. And you clearly can't trust the IT administrator, the corporate firewall, again, it might have an ad blocker and web browser makers don't really love ad blockers.

Paul Vixie: You can't trust anything about the upstream ISP. They might be data mining the queries so they can build advertising profiles. And generally the other end of that connection feels like they're in competition for that metadata. And so sort of the big websites, the big tech I mentioned earlier, really want to be the only ones who see what their customers are doing. They don't want to share that with potential competitors. So we've got the threat model that says, any On Path actor is a likely On Path adversary, and they must all be disintermediated. Now, I can understand why this seemed attractive. It's just that it has some downsides that don't get enough air time in my opinion. But basically, yes DOH is an economic and political project masquerading as a technical project.

Mike Sutton: Interesting. So even-

Peter Lowe: I think that [inaudible 00:08:31] it's political. And I think one of the reasons why DOH has become successful has a lot to do with who's behind it and kind of who's pushing it as well. So there's been a couple of big companies who have kind of enabled it. And the downside's not really obvious at first glance. It's one of those things that looks good on the surface, but has some disadvantages. Which you find out later on. Which we're finding out now. They're open.

Paul Vixie: I didn't mean to interrupt, I just wanted to add, what you said think about who's backing it in order to understand why it's being backed? What are the benefits to ad, excuse me, browser makers and the big tech websites. Because that's where all the funding is coming from, that's where all the development input is coming from. And we also just... Nobody likes my ad blocker. The idea that I'm going to run a web browser, and it's going to maybe use DNSFilter as its next top DNS, and that you guys have maybe the ability to cause lookups for doubleclick.net, for example, to fail if I subscribe to the right things.

Paul Vixie: Or if you don't do that, other cloud based DNS self filtering people can do that. And you can do that a lot of different ways. But you could imagine the doubleclick.net doesn't love that. And that their interests are not aligned with the idea of ad blockers. So building an unbreakable pipeline directly from this, the ad impression Mark One eyeball, directly to the surveillance capitalist empire is important. And it got this way for a reason. And the reason is not what Edward Snowden proved.

Mike Sutton: So how does encryption fit into the game here then?

Paul Vixie: Well, the reason we're encrypting is partly to build that unbreakable pipeline I just told you about, where you really don't want an On Path Adversary, which is everyone has a probable adversary, according to this threat model. You don't want them to be able to data mine, you don't want them to be able to modify responses. But this is all coming about because of cloud based DNS. And this is no slam on you guys, you run a very clean system, and I'm happy to be a partner of you. But when OpenDNS built the first cloud based DNS system back in the mid-2000s, they were seeking relevance. And they said, "Hey, your ISP is probably running a terrible DNS service, you should use us instead."

Paul Vixie: And then, of course, they decided that www.google.com was not a specific request about Google, but that that was actually a generic request for give me a search engine, please. So they redirected that response, OpenDNS would give you there on the search page. If you tried to go to www.google.com. Google, you might expect, took a dim view of this and said, "Please stop." OpenDNS said, "Well, it's not against the law. And all we're doing is collecting the keywords, associating them with the person asking for this question, and then redirecting them to you."

Paul Vixie: So Google is getting all the traffic, all the ad revenue, everything is still coming to you, you cannot prove losses. Therefore, we're going to keep doing the thing that you are telling us not to do, which is to redirect www.Googlecom to our own web service, if any of our DNS customers happen to ask that question. Of course, DNSSEC would make that impossible. But you have to opt into DNSSEC. So that was not going to be Google's solution. Google's solution was to create 8.8. And if you want to know why Google decided to create 8.8, you should look at what OpenDNS was doing about two months before Google created 8.8.

Paul Vixie: And so now we've got this idea that nobody's going to run their own DNS server, then nobody's going to trust their ISP to do it for them. And everybody is going to pick a cloud provider. Well, of course, if you're going to pick a cloud provider, you're going to cross a lot of networks from where your laptop is to where the closest cloud server outpost is. And that's why you need encryption. It's because of cloud DNS that encryption has become necessary. Back in the 90s, even after commercialization and privatization, people ran their own name servers, or they trusted their ISP to do so. And there wasn't really this idea of cloud, and so you weren't sending your data across untrusted networks. And so you didn't need to encrypt it. Now, because of the cloud, we have to encrypt it. So this is a problem we made. This was not something that was naturally going to occur anyway.

Mike Sutton: And when you say adversaries, do I understand correctly that you mean essentially anyone who's not the site you're trying to contact, that's surveilling, intercepting, or doing anything with that data in between your request and the source?

Paul Vixie: Well, so I don't intend to be a spokesperson for DOH, but I will say that on the first page of the RFC, which is the internet standards Document that defines DOH, it says that DOH is designed to prevent interference in DNS operations by On Path actors. And again, an On Path actor includes whoever made your browser, whoever made the operating system, whoever got your whatever Host Based firewall or Ad Filter, includes your system administrator, includes everybody On Path is everybody from your eyeball all the way to the other end. So according to that threat model, yes, everything that is On Path is an adversary.

Mike Sutton: So I imagine Peter can get on board with. Peter, what are some of the potential solutions that we've tried? DOH seems to be kind of the popular leader right now. What are you seeing?

Peter Lowe: So DOH I guess it is... I was actually looking at Google Trends earlier to see whether there was any kind of indication as to whether DOH had the lead it has over DoT. I think people talk more about DOH, and it's not marketing done for it. And there's no kind of people adopting it in different places. But actually, the difference isn't that much, as far as I can tell. So the interest in DoT is still steady, and it's easier to deploy, I think. And it has a lot of advantages over DOH. One of the problems I think with DOH is because it's application based, that means that technically you can configure it in any application.

Peter Lowe: And it's going to become a nightmare when you have to configure it for Zoom and for Chrome and for Firefox and for everything. I think Apple did a release of iOS recently, where they have the option to do per app configuration and on the system level. And what's going to happen is people are going to forget one of them, and that will break and then they are all going to be calling their ISP or Apple or whoever to say, "Hey, what's going on? This thing isn't working." Or the other way around, they will assume that everything is encrypted, and there'll be one application which is silently not being encrypted.

Peter Lowe: And these On Path factors are just going to sit around and wait for those situations which will happen. So it's the kind of thing which it's been pushed, because it's convenient for some people for what they want to do. But these kinds of issues haven't been addressed and DoT doesn't really suffer from those issues as much, I think. To answer your question about what options, I think right now there are basically two. There's DNS over TLS and DNS over HTTPS. Though DNSCrypt was a candidate at some point, which never made it to the standard track, it never kind of became an official thing for people to adopt. I think before that way back in 2010, or 2011, there was something called DNSCurve. But that never really took off. I think there may be a couple of other ones, maybe Paul has a better memory for other options.

Paul Vixie: No. Certainly right now, the blockchain industry is looking for relevance. They have a solution, and they are looking for a problem that that solution could be a solution to. And a number of them think that it's DNS. And for them, the problem is not just transport encryption like DOH, but it is the ability of people to take down names, they really want it to be that DNS is as distributed as Bitcoin and that there's no way to stop it. And that if a name is doing somebody harm, then well that harm will just continue. So they deserve an honorable mention.

Paul Vixie: But there was DNSCurve, there was DNS Crypt. But I think what still has the lion's share of the market is VPN. Because inevitably, when you're using a VPN, you are also using that VPN for your DNS. Because if you were to use your local network to make DNS requests, which you would then use the addresses, let's say, you look up an address using the local DNS and then that address you reach only over your VPN, well, that's crazy talk. Because you've already exposed to your local name server where you intend to go, you're just not letting them see you get there.

Paul Vixie: In almost every VPN product I've seen, if you turn it on, it also takes over your host DNS, and then answers that from some cloud based DNS service. And that's, I think orders of magnitude larger than all other DNS encryptions combined. Because VPN as we've known, if I'm in a hotel room, I can't trust anything. It's probably not going to work. Half of what I want to do won't work. And the other half, I don't want to be seen by whoever runs this WiFi. So we've been doing VPNs more and more for two decades. And DOH has got a long way to go before it starts to actually make inroads into that market share.

Mike Sutton: You mentioned the blockchain DNS. My understanding is that's almost kind of a parallel system, right? You need special browsers to use it. It's not just something that kind of plugs into the internet. So I guess that leads me to the question of the importance of standards. I think part of what makes the internet so robust, is these relatively simple standards that have held up over time does something like that, while it solves one problem, create a lot of others?

Paul Vixie: I think standards have a role. They are important. But they don't have exactly the role that you said. I remember back there in this commercialization privatization era in late 90s, there were a couple of companies who offered a modified TCP/IP stack, right? Back in those days, Windows didn't come with it, you had to download that. So it was possible to get your TCP/IP from somebody other than Microsoft. And there were a couple of them who said, "Our TCP/IP is not fair. We don't do fair share scheduling. We are more aggressive. And so we will get more channel bandwidth, because all of the standard TCP/IP implementations that have the normal congestion control are going to back off, once they start dropping packets. And then you because you run our product are going to get better performance than them."

Paul Vixie: Now, this is crazy talk. Because if that was going to work, and everybody did it, then what you would have is congestion collapse a lot more often. So the fairness is not because you're not trying to be polite, you're trying to build a functional network. However that way of thinking will never die. I live a stone's throw from Sand Hill Road where most of the venture capitalists in the world make their offices. And I got to tell you that a company is started down there every day and probably twice on Sundays, by somebody who comes in and says, "If you write me a check, I will disrupt some existing supply chain or disintermediate. I will disrupt."

Paul Vixie: Once in a while they say we will create new value, but mostly the way you get funded is to say that you will behave disruptively. And so when you have these standards, all that really does in the eyes of those people and the places their money comes from all it really does is create a norm, which can then be violated by somebody who's aggressive enough to do so. And so yes, these standards are very important, but they're used in different ways by different people.

Mike Sutton: And when you talked about DNS encryption earlier, you referred to it I think, as a political problem disguised as a technical problem. We've got a lot of technical people on the webinar here today. What's that bridge for them? How should they think about this?

Paul Vixie: I think you should read the lawsuit that Comcast filed against Google over DOH, which was settled out of court. So we did not get a chance to see this play out. But in the initial flurry of filings, and counter filings, and so forth, Comcast said, "Google and Comcast are competitors in the advertising business. We believe that Google is abusing its monopoly position to cause us to see less metadata from our joint customers. In other words, a Comcast customer who wants to reach a Google property.

Paul Vixie: And so we believe this is unfair and that Comcast, as an advertiser, deserves to have the same level of visibility into customer traffic that Google is going to have. And otherwise, it's not a level playing field, and so forth." So that should fascinate everyone. Everybody who is putting their shoulder to the wheel of DOH because of what Edward Snowden showed in 2013, and what the Internet Activities Board said should be done, you should look at who you're helping, and look at how they make their money, and decide if their interests are aligned with yours.

Peter Lowe: One of the other interesting side effects of DOH being embraced around the world, or at least available and being used is, and I'll be honest here. So when I first heard some of the fears that people had about DOH causing bigger problems for nation states who are doing DNS Filtering, I was a little skeptical because it seems quite farfetched. But it's happening right now as well. So just to explain what I'm talking about. This is where... Because there are countries and the places in the world where DNS Filtering happens on a national level. And the government itself is intercepting DNS requests and returning modified results for things that it doesn't want you to look at. Because DOH makes it harder for them to do that, and because DOH is kind of disguised as a standard HTTPS request, they have to step up their game and implement even more draconian filtering across the whole country.

Peter Lowe: Beforehand, people could kind of work around a little bit by using a different DNS provider or something. But because now that DOH is everywhere, it's in Chrome and Firefox and iOS and whatever. And it's so easy to switch to, these governments are like, "Well, hang on, we've lost control of what people are looking at. We need to," Like I say, when I first heard this I was sort of like, because it's so far out of my way of thinking it was easy to dismiss. But it's happening right now. China and Russia are looking at blocking 8.8.8.8 entirely, by rerouting packets to... Which is crazy. An entire country doing that is... But it's all I think, a result of DOH being accepted.

Mike Sutton: I want to get to some of the questions from the audience that have been submitted. But a lot of the conversation so far sounds like it's been around privacy, the role of DNS encryption and privacy and protecting people from surveillance. What about the threat prevention and security? Where does DNS encryption come into play there? Peter, you want to answer that?

Peter Lowe: Sure. I will say that I think one of the benefits of cloud DNS provide is, and forgive me if I sound like a sales pitch here. But I work for DNSFilter so. I think the benefit is that it's really easy to deploy a threat protection layer that you can just kind of insert in and you're instantly protected to a certain extent against, you can protect your whole network. Relatively easily and cheaply, you get side benefits, like we have an Anycast network and that side of things. So with regards to encrypted DNS, as long as you're using your protective DNS service resolvers, then you should be okay. Except with encrypted DNS, you know that the results you're getting back are really the ones from the provider that you're using. And like Paul said, DNSSEC is a way around that, but it's not as common as it should be. But it's an important part of really making sure that you're getting what you want, and what you expect.

Paul Vixie: So I've had conversations offline, not as part of this panel, but with you guys, and with [inaudible 00:27:28], just saying that I really looking forward to the day that DNSFilter adopts something like the Pi-hole, little Raspberry Pi device for $10, $20 and puts your solution into that. So that if somebody wants the benefits that you just said, they want protective DNS, they want to get bad answers, if the right answer would take them to a website that was going to I don't know, infect them with a malware. Because I think it'd be wonderful to have an on prem solution that does what you guys have.

Paul Vixie: And I'm sure you're both aware that BlueCat, and Infoblox make appliances like that. Of course, they're larger than a Raspberry Pi, you have to rack mount those. So that's not a solo solution. But all of those solutions also offer protective DNS. You don't have to use the cloud to get protective DNS. And since we have a largely technical audience today, I want to point you at a website, DNS RPZ. That's Domain Name System Response Policy Zone, dnsrpz.info.

Paul Vixie: And that'll get you started on that, because there are some Pi-hole solutions that can be deployed. And you can set the forwarder of that little Pi-hole to point at DNSFilter. So you can kind of get the best of both worlds, or it doesn't have to be DNSFilter pointed at the protective DNS cloud service of your choice. Just have a local intermediary, so that not every device on your network has to know about that. So there are a lot of ways to deliver the goodness that Peter was just describing.

Mike Sutton: So let's look at a couple of questions from the audience Per Thorshan said hi early in the presentation, Paul. So I didn't pass that along [crosstalk 00:29:19] But he does have a follow up question. His follow up question was, let me find it here in my notes. Where do the makers of the man in the middle boxes, Deep Packet Inspection, IDS, IPS makers fit into the debate of DoH versus DoT?

Paul Vixie: Well, this goes back to what Peter was saying about government, right? So if you come along with a business plan that says, "I don't like the Great Firewall of China, or I don't like what the Turkish Government is doing, or the Russian government." Fill in the blank. You've got some boogeyman and you say, "I don't like that. I want that to not be part of humanity's future." And you think you can invent a solution that is going to cause these people to say, "Well, I guess we just don't care if people are allowed to talk about Tiananmen Square, and Taiwan and all the other stuff. This whole one party rule thing is a bad idea. Let's have democracy."

Paul Vixie: You know what? That's not going to happen. That will never happen. Nothing like that will ever be allowed to happen. If you come up with technology that works this way, you're going to get the outcome that Peter predicted, which is that those nations are going to become even more draconian. They're going to have to significantly overblock to make sure that they're not accidentally letting some DoH through, just as they do with VPNs today. They're going to pass laws where you can pay fines or go to jail, if you use that technology.

Paul Vixie: They're not going to give up nothing that the IETF or a whole bunch of plucky volunteers who idolize Edward Snowden does is ever going to cause nations to embrace a post national future. So now that we know that that's an invariant, let's work back toward what we could reasonably do now, that won't provoke them into doing something that will make our operating conditions even worse than they were before we took action, right? In other words, how can we negotiate with these powers. And if you don't do that, then you're going to get just an escalation.

Paul Vixie: And that's where the DPI vendors come in. That is where the companies around the world, largely Western companies in Western nations, are selling cyber ammunitions of this kind to authoritarian governments. That would probably not even be legal if they were used in let's say, the United States. But this data as it passes the perimeter, the cyber border is going to get strip searched. It is going to get decomposed, it's going to get examined. And only that which is known to be safe is going to make it through and anybody who's traveled in China noticed the difference between what they can reach on their roaming smartphone, and what they can reach on their laptop WiFi in a coffee shop, knows what's going to be lost, right?

Paul Vixie: In order to keep Google's sort of unpolitical, unacceptable search results out of China, they also had to block Google Scholar and the golang.org page, right? You can't even get the manual page on Go Lang because of Google's position on search. And so we have to treat this as game theory and stop believing that the game will end after our next move. No, the game goes on after our next move. Sorry, long answer to short question.

Peter Lowe: I see, interestingly, just yesterday, some research which I looked at, which was some people went to some arms fairs, and looked at the companies which were selling surveillance technology. And they came across 80 or something other companies who were selling guns and stuff. There were companies like 3M, Siemens, Microsoft and Orange just selling surveillance tech. It's a little literal arms race, basically.

Mike Sutton: Not I assume, advocating that we shouldn't pursue DNS encryption, because it will cause this reaction, right?

Paul Vixie: I think that there is a form of autonomy, that is not in conflict with sovereignty. And what that is, is that you know it's happening, and you have the ability to refuse to participate, right? So DoT, DNS over TLS, is a wonderful technology for that political reason. It's actually not masquerading as a technical solution. It really is a technical solution, but it took account of some political realities. It is completely blockable. You can detect it, it's got a well-known port number to it. And so if some firewall operator whether that's in your laptop, or maybe your IT department, or your nation, maybe you're in an authoritarian nation, wants to block DoT, they can't.

Paul Vixie: They can't tamper with it. They can't modify the results so that you've tried to go to www.facebook.com, and you get an address, which is not Facebook's address, and you can't tell that it's been tampered with. No, you can absolutely detect tampering. And you can absolutely block this all together if you don't want this to work. And so what that means is you're never at an information deficit, you have transparency, you know the operating conditions into which you would be sending potentially sensitive data.

Paul Vixie: And you could just say, I can't do what I want to do from this coffee shop because of what they're doing to my traffic. And so that becomes an equilibrium, where you have rights but the government is perfectly willing to let you have the right to not use the network, because you don't like how it behaves. Even an authoritarian government is not going to insist that you behave as though you didn't know what they were doing. That's what we needed. That's why DoT is a better solution. Because it allows you to know if tampering has occurred.

Paul Vixie: Or if blocking is occurring. DoH, by trying to make that blocking, or eavesdropping or whatever impossible, is saying, "No, we the individual have more rights than the nation that we are in." The nation is within their purview to declare that that's a criminal attitude. We don't have to build technology that allows people to do that. We should build technology that allows some kind of negotiation and an equilibrium to exist so that nobody has to escalate.

Peter Lowe: Sorry, I think it's a brilliant point. I've been banging on a lot lately about user agency and giving people the choice to decide whether they want to continue in an insecure environment or decide where they're being tracked or monitored or something, just letting people know what's going on, I think is almost or even more important than trying to give them the ability to stop that bad thing, transparently and continue as if... And I think that Paul is much more eloquent than I am on the subject, I have to say.

Peter Lowe: But I likened it to sort of going to a local coffee shop, where the staff are really gossipy. And if you go in, then they'll comment on your clothes and your hair and whatever, as soon as you walk out the door. But if they have really good coffee, then you can still choose to go in and buy a cup, you just know what's going to happen. So you have the choice to go there, even though they're going to talk about you on your back. But it's up to you then. So giving that back to the end user, I think is something that's missing at the moment.

Mike Sutton: So maybe in keeping with the idea that DoH is not necessarily-

Peter Lowe: Sorry. [crosstalk 00:37:48] In the case of DoT, it is allowing us to do that. Although, from the point of view of a company, I'm not sure that's acceptable.

Mike Sutton: So possibly related, Nick from [inaudible 00:38:02] asks, what could be done, or implemented to dissuade the abuse of DOH by large tech companies, and restrict the abuse by malware using its own DoH, DNS infrastructure out of sight of perimeter defenses?

Paul Vixie: Well, that question is an open wound, that we apply the following band aid to that sucking chest wound. Because DoH is designed to be undetectable, it simply lives inside of a HTTPS. So it lives where the ecommerce and all the other stuff lives. And the entropy of that system with TLS 1.3 and Encrypted Client Hello, the entropy is being raised to the point where everything looks like line noise. And there's no longer any ability for a next gen firewall to say, "I permit this transaction, but I reject that one."

Paul Vixie: And what that means is that draconian thing that Peter said earlier, it means that a lot of corporate firewalls are going to have to say, "Look, if you want to get out of here, if you want to go beyond the perimeter, you're going to use this proxy. Here's the key, you must trust." That proxy is going to fully decrypt everything you send, decide whether it's okay. And if it is, it'll send it out and then when the answer comes in, it will decide whether the answer is okay. And if it is, you'll be allowed to hear it. In other words, even your local seesaw is going to become more draconian because of DoH, because of TLS 1.3, because of QUIC, Q-U-I-C, which is moving the web onto UDP.

Paul Vixie: These things are the next move in what will be a long game and we're going to a dark place where everything we do must now be surveilled more closely, in order that you comply with whatever regulatory pressure you're under as a network operator. So it's bogus, the whole thing is bogus. But that's what you're got to do. You're going to install NGINX as a reverse proxy, and you're going to use it in SOCKS mode, and everybody inside your network is going to go through that. And you're going to find a plethora of plugins that will say, we can detect and put a stop to DoH. That's the future.

Peter Lowe: Your mic muted mate.

Mike Sutton: Sorry about that. We've only been on video conferencing for a year and a half now, we'll get that figured out eventually. Kind of a follow up, Jeremy from Price Cold Storage asked how do I defend my endpoints if DNS is encrypted here?

Peter Lowe: They use a protective DNS service, that's selected. Or they use something like a [inaudible 00:41:04] with the RPZ which they do it themselves. I think, the idea of deploying our service to run locally... We do have a relay client which can kind of achieve something like that. It's not a device, but it's this sort of local caching server that forwards requests on. But I think you need to... Or run it yourself, which is an option for anybody. But I can say that it's a pain, if you want to try and manage the threat intelligence feeds and taking care of false positives and all that kind of stuff. That's what I do as a job. And it's a pain. I love my job, but don't fire me please you guys.

Mike Sutton: Leave it to [crosstalk 00:41:53].

Peter Lowe: I suppose that is what I'm trying to say, in a nutshell. But at a certain point, you pay other people to do things that are difficult to do yourself, right? But then you have to trust them to do a good job. So in the end, it's a toss up. Find someone reputable, good protection, evaluate it for yourself, and then either trust them or don't.

Mike Sutton: We'll try and wind down here in just the next few minutes. A couple of questions still coming in. Peter, just another quick technical one. If DoH will use TCP, what will be the impact on Anycast DNS? That's correct. Karanvir from Capgemini, asked that question.

Peter Lowe: So I think that in specifically for DNSFilter, there wouldn't be any effect. Anycast is a thing that allows you to contact the closest physical server to you. So when you go to an IP address, for instance, Mike, if you were going to an IP to doh.dnsfilter.com that would go to a server in the US. And if I did, it will go somewhere in Europe, because I'm in Malta. So that's the big difference. As far as DoH versus something else is concerned, it shouldn't make a difference. If you're talking about using DoH in your client, as in configuring it in Chrome or something like that, then you're just going to be contacting a different service. So I think it depends on how they have any kind of setup. I think that answers the question.

Mike Sutton: Jim Bigils asked, what about malware that uses its own CNC transport and DoH was what happens there?

Peter Lowe: Well, I look into this kind of stuff. And there is malware that basically has its own DNS resolution library, and it uses public DoH servers, which are conveniently available to circumvent any kind of DNS filtering that you have in place. And it's a pain because it's difficult at the moment to block DoH. And so if not using the standard protective DNS services that you might have configured either locally or by using a Cloud service. So it's just another sneaky tactic or sneaky technique used by malware authors. And there is a solution. But again, I'm sounding like a real sales guy here, one solution is to block all is a DNS-

Mike Sutton: [crosstalk 00:44:40] DNSFilter webinar.

Peter Lowe: Well, that's true. Alternatively, DNS traffic block anything that looks like a DoH packet, except to places they can trust.

Mike Sutton: DNSFilter and Farsight joint venture here. We're going to try and wrap up. I'll give Paul the last word here in a moment. If you're interested in either product, DNSFilter, you can get either a demo or a 14 day free trial, just visit our homepage dnsfilter.com. Similarly, for Farsight, hit up their website, and you can get information on how to get started, a demo there. But thanks for joining, there's been a great conversation. I think we could probably go for another several hours. Interesting topic. Not just technical, obviously, the political aspects of it as well. And the balance between security and the political realities that have to be negotiated, I think great points that probably need more exposure. And I appreciate both of you being here to discuss that with us today. Any final words?

Peter Lowe: Just to say thanks to... Sorry, go.

Paul Vixie: No, you go ahead. I'll go last.

Peter Lowe: I just wanted to say thanks to Paul for joining us. It's been an absolute pleasure.

Paul Vixie: Well, I would say the same. I probably love the sound of my own voice a little too much. But thank you for inviting me, this has been great. And I do want to say that during the time of this broadcast, it was announced finally that my company Farsight Security was acquired by Domain Tools. And so I suspect that I've now got the wrong logo under my name somewhere. But that's how these things go. And we are looking forward to continuing to be relevant in the field that we covered today. I will also say I'm passionate about individual liberty, and autonomy, lived autonomy, which requires a certain amount of privacy. So I care very deeply about this. And I'm not opposed to the idea that people should have rights.

Paul Vixie: I just think you have to be intelligent about what rights you demand given that your government is armed. So to that end, let me say if you Google for my name, Patent DNS, you're going to find that there are some methods coming out to disambiguate the DoH traffic out of the high entropy stream, so that given that you don't trust your IoT devices, and you shouldn't you will be able to find out when they're doing this without necessarily having to stop everything with a proxy at the Gateway. But this is the tip of the iceberg. We're at the beginning of a long period of one upmanship. Because of the DoH, TLS 1.3, encrypted Client Hello and QUIC. And I'll be there the whole time. And let's talk again.

Mike Sutton: Absolutely. Thank you guys, Dr. Paul Vixie, from Farsight. Peter Lowe from DNSFilter. Farsightsecurity.com is Paul's website, dnsfilter.com is our website here with Peter. Thank you, gentlemen for joining today. We went just a few minutes long. So sorry to the audience. But thank you so much for joining us. We love bringing these more technical topics. So let us know, what you want to hear about next and we will see you next time. Thanks everyone.