[dns-privacy] Private DNS
Phillip Hallam-Baker <hallam@gmail.com> Fri, 21 March 2014 14:43 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAAD1A0973 for <dns-privacy@ietfa.amsl.com>; Fri, 21 Mar 2014 07:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMYBeydzr44h for <dns-privacy@ietfa.amsl.com>; Fri, 21 Mar 2014 07:43:14 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id A47A91A09B4 for <dns-privacy@ietf.org>; Fri, 21 Mar 2014 07:43:13 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id gl10so1780476lab.28 for <dns-privacy@ietf.org>; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=n7b83uB69JbFcRuQkla0eZPi1zN4JVcYhM/Zo6POO5A=; b=FmsNjsCgbJVKqCQuX38an5ZaavOc6jUOEh62B71HMSPDpo88DKO7qWQbHlCSmOXtgC fwqkR/o9UVWtQ7UebyNkAgfwXLH551zPVP/XMPRNmf9aSCOTHTExb3JySnSfMYQC4NOB ABiAwtC2V3vbc+2FgLuUmoIiUVSjsxhdFgYtKhz/QUZ77yzU68lsc9k8UKnn3PPtg0M1 goGLIshbaeeFPPZc/K8hr5PKYn4m5peRnwwsFAHaK04fPS/BI309Fahn+PeEtyRwaQXJ PL8MSAe3qULHnH4PJqmDVfHXHkcq6KjqTwSNQHfAwCIBErKCTPWmhjUMUq9IceYE3e0y NxvQ==
MIME-Version: 1.0
X-Received: by 10.152.190.135 with SMTP id gq7mr34178507lac.28.1395412983492; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Fri, 21 Mar 2014 07:43:03 -0700 (PDT)
Date: Fri, 21 Mar 2014 10:43:03 -0400
Message-ID: <CAMm+LwjBL5C_FCBpkyLjxS7ayF2Eo=yLnLiWRNB2hgFiY1KN0w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: dns-privacy@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/euL7loWFw9YnHVgsdAyfzd6a8aI
Subject: [dns-privacy] Private DNS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 14:43:16 -0000
So far we have been talking about DNS Privacy. But what is more important to many Internet users is control over their choice of DNS providers. Consider the following: https://twitter.com/enginonder/status/446819815106576384/photo/1 Right now we have several million Internet users who want control over their DNS service. I am pretty sure that they don't want their government to know what sites they are visiting. But they also want to make sure that government censors can't block criticism of the ruling party. So the challenge as I see it is not just DNS-Privacy, it is providing users with a private DNS. As in a DNS service that is their private choice and under their private control. This was the use case that I started with that resulted in OmniBroker. Encrypting DNS traffic is a different set of requirements but the hard part of the problem is essentially the same: We have to do a key exchange. As an attempt to close the earlier discussion on 'backwards compatibility', could I suggest the following as a criteria: * Any DNS Encryption scheme has to be compatible with the getdnsapi except for extensions to the setup/configuration part of the API. I know getdnsapi is not a standard, there are other implementations, yadda yadda. But it is a really useful sanity check. Any proposal that is compatible with getdnsapi is likely to work as a drop in replacement for existing DNS. As an anti-censorship tool, OmniBroker is a lot more powerful because it is designed to allow the service to give more comprehensive tactical advice. So for example, the OmniBroker could say 'connect to this site using TOR'. -- Website: http://hallambaker.com/
- [dns-privacy] Private DNS Phillip Hallam-Baker