[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

[Ángel]

On 2019-05-16 at 20:55 -0600, Grant Taylor wrote:
> > It's set to TTL of the record +epsilon (or at least it should be).
> 
> Hum.  I don't think I like the idea of the TTL of the temporary white 
> list being set to the TTL of the DNS RR.  This could be hours /
> days / 
> weeks / months.  I'd think that such a DNS firewall would only want to
> allow something for seconds / minutes at most.  Especially when
> IPTables SPI can allow ongoing / established traffic.  (Remember that
> you just need to allow things long enough for a connection to become
> ESTABLISHED or whatever your SPI is filtering on.)

No. The client could be making more than one connection and, since it
has a non-expired dns answer for that host, instead of making a
superfluous dns query, connect directly, long after your firewall
considered that it already gave it plenty of time for the *first*
connection.
If you want to restrict the time the hole is open, you should change the
returned TTL to an appropriate value. But having the firewall rule set
to TTL+ε is the right call.