Hi, Christian makes a very good point about distributing the DNS query cache out of the recursive resolver into the clients, which is a privacy boon. However, that comes at the cost of increased load on the authoritative servers as that collective recursive resolver cache is not standing between the clients and the auth servers.
I think that this is trade off that individuals and organisations could decide. I imagine that organisations (work places etc.) would likely choose to use a recursive resolver, but private individuals may choose the recursive client option. Whatever the case, I think it is valuable to facilitate that option being easily available. Regards, Hugo Connery ________________________________________ From: dns-privacy [[email protected]] on behalf of Christian Huitema [[email protected]] Sent: Saturday, 8 September 2018 06:50 To: Brian Haberman; [email protected] Subject: Re: [dns-privacy] Resolver to authoritative discussion guidance [snip intro]. I am interested in the "no resolver" aspect. The privacy argument for using encrypted to a recursive resolver is that the stub's queries get mixed into an "anonymity set" of all the stubs using the same recursive resolver. That's a fine argument, but it requires users to put a lot of trust in the recursive resolvers. Clients would not be forced to trust the recursive resolvers if they could do the entire recursion themselves. Of course, running a recursive resolver from the client itself is not currently a good privacy option. The client would end up sending lots of clear text traffic to authoritative sites, traffic that could easily be monitored. But if that traffic was encrypted, the "recursive client" option would become significantly more attractive. Yes, the IP addresses of the authoritative servers will be visible. But these servers have an "anonymity set" of their own, as they often serve a large number of domains. The adversaries will know that the user contacted a server, but they will not know which domain on that server. The recursive client option has the advantage of diluting the client's requests over a multiplicity of servers. This makes the privacy of the system significantly more robust. Recursive servers are interesting targets, and adversaries can compel their cooperation through subpoena or scarlet letters, or they can target them for hacking. With a recursive client approach, the adversaries will have to gain cooperation of a large number of servers, which may well be located in a variety of jurisdictions. This could be much harder. And because of that, I am quite interested in practical ways to encrypt the traffic from clients to authoritative servers. -- Christian Huitema _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
