Executive Order 14144 - encrypted DNS

Michael De Roover isc at nixmagic.com
Wed Jan 29 02:58:26 UTC 2025 

On Monday, 27 January 2025 14:05:42 CET Stephane Bortzmeyer via bind-users 
wrote:
> On Mon, Jan 27, 2025 at 12:55:08PM +0000,
>  Marc <Marc at f1-outsourcing.eu> wrote
> 
>  a message of 36 lines which said:
> > What is this referring to DNSSEC?
> 
> The way I understand it, it is referring to DoH and DoT.
> 
> > What is the point of encrypting data with the current implementation
> > of certificates.
> 
> I fail to see the relationship with certificates. But if you want a
> complete analysis of privacy issues in DNS, read RFC 7626
> <https://www.rfc-editor.org/info/rfc7626>.

I appreciate the confirmation of this being about DoT/DoH, thank you! So I 
suppose this would mostly affect ISPs then? From what I can tell, most ISPs (at 
least here in Belgium) do advertise their own DNS servers. That's then picked 
up by consumer / business routers, and either relayed as-is or with the router 
doing simple recursion.

Either way, it would be the ISP answering the queries. It seems that here in 
Belgium, this is also taken advantage of to serve legal requirements such as 
banning torrent sites. These would then be redirected to a stop page, stating 
that downloading torrents is illegal. It's easy to circumvent by just using a 
public DNS server like Google / Cloudflare / Quad9 etc, and all parties 
involved are seemingly aware of that. This low-impact choice was made, because 
it was sufficient that most people just don't bother changing their DNS 
provider.

But that also means that ISPs can still tamper with the responses based on 
government requirements, be it that they encrypt their responses to the 
customer with DoT/DoH or not. If there's no authenticity, then they can 
literally respond anything they want. Could be used lawfully or even 
organizationally (e.g. blocking Facebook at the workplace, because there's 
work to do), but it seems like a slippery slope.

RPZ is something I use internally too, but I've always had mixed feelings 
about its use. Is the ability to rewrite responses really our call to make? If 
so, to what extent? And if authenticity is to be enforced from those with 
authoritative servers, to circumvent that problem if identified as such, 
wouldn't that just move the ball for ISP's to employ more intrusive methods to 
comply with the law?

-- 
Met vriendelijke groet,
Michael De Roover

Mail: isc at nixmagic.com
Web: michael.de.roover.eu.org

More information about the bind-users mailing list