[dns-privacy] Private DNS

Phillip Hallam-Baker <hallam@gmail.com> Fri, 21 March 2014 14:43 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5EAAD1A0973 for <dns-privacy@ietfa.amsl.com>; Fri, 21 Mar 2014 07:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hMYBeydzr44h for <dns-privacy@ietfa.amsl.com>; Fri, 21 Mar 2014 07:43:14 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id A47A91A09B4 for <dns-privacy@ietf.org>; Fri, 21 Mar 2014 07:43:13 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id gl10so1780476lab.28 for <dns-privacy@ietf.org>; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=n7b83uB69JbFcRuQkla0eZPi1zN4JVcYhM/Zo6POO5A=; b=FmsNjsCgbJVKqCQuX38an5ZaavOc6jUOEh62B71HMSPDpo88DKO7qWQbHlCSmOXtgC fwqkR/o9UVWtQ7UebyNkAgfwXLH551zPVP/XMPRNmf9aSCOTHTExb3JySnSfMYQC4NOB ABiAwtC2V3vbc+2FgLuUmoIiUVSjsxhdFgYtKhz/QUZ77yzU68lsc9k8UKnn3PPtg0M1 goGLIshbaeeFPPZc/K8hr5PKYn4m5peRnwwsFAHaK04fPS/BI309Fahn+PeEtyRwaQXJ PL8MSAe3qULHnH4PJqmDVfHXHkcq6KjqTwSNQHfAwCIBErKCTPWmhjUMUq9IceYE3e0y NxvQ==
MIME-Version: 1.0
X-Received: by with SMTP id gq7mr34178507lac.28.1395412983492; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
Received: by with HTTP; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
Date: Fri, 21 Mar 2014 10:43:03 -0400
Message-ID: <CAMm+LwjBL5C_FCBpkyLjxS7ayF2Eo=yLnLiWRNB2hgFiY1KN0w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: dns-privacy@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/euL7loWFw9YnHVgsdAyfzd6a8aI
Subject: [dns-privacy] Private DNS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 14:43:16 -0000

So far we have been talking about DNS Privacy. But what is more
important to many Internet users is control over their choice of DNS

Consider the following:

Right now we have several million Internet users who want control over
their DNS service. I am pretty sure that they don't want their
government to know what sites they are visiting. But they also want to
make sure that government censors can't block criticism of the ruling

So the challenge as I see it is not just DNS-Privacy, it is providing
users with a private DNS. As in a DNS service that is their private
choice and under their private control.

This was the use case that I started with that resulted in OmniBroker.
Encrypting DNS traffic is a different set of requirements but the hard
part of the problem is essentially the same: We have to do a key

As an attempt to close the earlier discussion on 'backwards
compatibility', could I suggest the following as a criteria:

* Any DNS Encryption scheme has to be compatible with the getdnsapi
except for extensions to the setup/configuration part of the API.

I know getdnsapi is not a standard, there are other implementations,
yadda yadda. But it is a really useful sanity check. Any proposal that
is compatible with getdnsapi is likely to work as a drop in
replacement for existing DNS.

As an anti-censorship tool, OmniBroker is a lot more powerful because
it is designed to allow the service to give more comprehensive
tactical advice. So for example, the OmniBroker could say 'connect to
this site using TOR'.

Website: http://hallambaker.com/