I have been pondering DNS Privacy issues for some times, and I read with interest a recent blog by Geoff Huston and Joao Luis Silva Damas (http://www.circleid.com/posts/20160526_the_path_to_dns_privacy/). Basically, we have two trends, somewhat conflicting. On one side, DPRIVE is standardizing an encrypted connection to a trusted recursive resolver; on the other side, efforts like GetDNS would generalize the use of recursive resolvers on the client itself. There are pros and cons on both sides.
The privacy benefits of DPRIVE depend on the trusted resolver handling lots of traffic. If the trusted resolver handled only one customer at a time, it would be easy to correlate the encrypted messages coming to the server and the clear text queries sent to the authoritative resolvers, and there would be little privacy gains. If the resolver handles millions of queries, correlation becomes much harder, but something else happens. The big resolver becomes a very tempting target for attacks, from data mining to criminal hacks, legal warrants, censorship mandates, or secret national security letters. The distributed approach is somewhat more robust against attacks, especially if the distributed resolver implements QName Minimization. But there is little privacy if the queries are sent in clear text. In fact, clear text queries can also be attacked with a combination of deep packet inspection and automated spoofing - some big national firewalls are already doing just that, and the infamous "quantum Insert" service was doing something similar. DNS SEC will allow resolvers to detect the attack, downgrading them from MITM to denial of service, but that's not exactly perfect robustness. So, what shall we do? I suppose recursive resolvers could use DNS over TLS to get data from authoritative resolvers. Or DNS over DTLS. Or a variation of DNS over HTTPS. But are we standardizing that? Is this part of DPRIVE's charter? -- Christian Huitema _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
