Re: [dns-privacy] Use of separate caches for plain and secure transports
Wes Hardaker <wes@hardakers.net> Mon, 17 December 2018 18:18 UTC
Return-Path: <wes@hardakers.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62509130EFC for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 10:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFRB07k5l_Mu for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 10:18:36 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 778F7130EFA for <dns-privacy@ietf.org>; Mon, 17 Dec 2018 10:18:36 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 91FEF20670; Mon, 17 Dec 2018 10:18:35 -0800 (PST)
From: Wes Hardaker <wes@hardakers.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Christopher Wood <christopherwood07@gmail.com>, dns-privacy@ietf.org, Mukund Sivaraman <muks@mukund.org>
References: <20181211054339.GC11647@jurassic.lan.banu.com> <871s6l43za.fsf@fifthhorseman.net> <20181213205828.GB24089@jurassic.lan.banu.com> <87sgz12jw6.fsf@fifthhorseman.net> <yblwoocosh7.fsf@w7.hardakers.net> <e7026ae4-afa2-4ebf-b885-ea085df62ff3@Spark> <87a7l73l9m.fsf@fifthhorseman.net>
Date: Mon, 17 Dec 2018 10:18:35 -0800
In-Reply-To: <87a7l73l9m.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri, 14 Dec 2018 15:29:09 -0500")
Message-ID: <yblr2egvwxw.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/oCLDxWth9nvqEBWlEeLZemyvD9g>
Subject: Re: [dns-privacy] Use of separate caches for plain and secure transports
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 18:18:38 -0000
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > I hope Wes will answer this question on his own Basically, one of the reasons the DNS protocol has been so robust is because of the caching behavior. It greatly reduces traffic, greatly speeds up lookups. Turning off caching would disable much of this critical infrastructure that the DNS was designed with. Recent work has proven that longer TTLs enable zones to survive DDoS attacks because of caching (https://www.isi.edu/~johnh/PAPERS/Moura18a.pdf). Instead, we could maybe cache the delay instead and do something like "if privacy mode is enabled for first query missing the cache for name X, then store [X, delay] for the resolution time. For all future requests up until the first non-privacy protected query for X, force a delay response but respond from the cache". That's kinda messy, but at least may balance the need to keep the cache with privacy. > , but i wanted to note that privacy is not only harmed by caches. it > can also be helped by caches. Yep. I did some experiments around this at the beginning of 2018 for the NDSS DNS privacy workshop. Paper: http://www.isi.edu/~hardaker/papers/2018-02-ndss-analyzing-root-privacy.pdf Youtube 1: https://youtu.be/bSKBRMNQ7s0 Youtube 2: https://youtu.be/9YYH8JFH_bY?t=21m0s -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://blog.capturedonearth.com/
- [dns-privacy] Use of separate caches for plain an… Mukund Sivaraman
- Re: [dns-privacy] Use of separate caches for plai… Daniel Kahn Gillmor
- Re: [dns-privacy] Use of separate caches for plai… Mukund Sivaraman
- Re: [dns-privacy] Use of separate caches for plai… Daniel Kahn Gillmor
- Re: [dns-privacy] Use of separate caches for plai… Wes Hardaker
- Re: [dns-privacy] Use of separate caches for plai… Christopher Wood
- Re: [dns-privacy] Use of separate caches for plai… Daniel Kahn Gillmor
- Re: [dns-privacy] Use of separate caches for plai… Christopher Wood
- Re: [dns-privacy] Use of separate caches for plai… Wes Hardaker
- Re: [dns-privacy] Use of separate caches for plai… Warren Kumari
- Re: [dns-privacy] Use of separate caches for plai… Christopher Wood
- Re: [dns-privacy] Use of separate caches for plai… Giovane Moura