Re: [DNSOP] private-use in-meeting chat comments

Tony Finch <dot@dotat.at> Tue, 17 November 2020 22:51 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C70793A0EE2 for <dnsop@ietfa.amsl.com>; Tue, 17 Nov 2020 14:51:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiJDA7gZAb6t for <dnsop@ietfa.amsl.com>; Tue, 17 Nov 2020 14:51:48 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E5F73A0EA4 for <dnsop@ietf.org>; Tue, 17 Nov 2020 14:51:47 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:39568) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kf9pB-000kY3-Jn (Exim 4.92.3) (return-path <dot@dotat.at>); Tue, 17 Nov 2020 22:51:45 +0000
Date: Tue, 17 Nov 2020 22:51:45 +0000
From: Tony Finch <dot@dotat.at>
To: Brian Dickson <brian.peter.dickson@gmail.com>
cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <CAH1iCirZWAzUpfhzdoJ8y7RfMFy7JEDhY1jBHbb7Y2CzD8iv3A@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2011172229380.9850@grey.csi.cam.ac.uk>
References: <CAH1iCirk5X9xOFmABQU9X9G92eQrePPuOwgXVHd4zza4kK9SwA@mail.gmail.com> <alpine.DEB.2.20.2011172127200.9850@grey.csi.cam.ac.uk> <CAH1iCirZWAzUpfhzdoJ8y7RfMFy7JEDhY1jBHbb7Y2CzD8iv3A@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-N7Y1BtWQ9NMzR4SPOqeuQdchwI>
Subject: Re: [DNSOP] private-use in-meeting chat comments
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 22:51:51 -0000

Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>
> However, there's also another clever trick (for some value of $clever),
> which isn't iron-clad but could help:
>
> guidspace.arpa DNAME empty.as112.arpa

That's worse than leaving it unregistered :-) AS112 is OK for RFC 1918
reverse DNS because in that case the QNAMEs don't contain much
information, but that isn't true for the forward DNS.

Most of the privacy leak is to the hotspot network's resolvers (and their
passive DNS partners); if the domain is registered then the resolver will
send QNAMEs to its nameservers; if the domain points at AS112 then almost
anyone might receive the QNAME leakage; if the domain is unregistered and
the resolver does qmin then there's less leakage.

This is really a general issue with split horizon DNS: whoever is
assigning or giving advice about local/internal DNS needs to make
it clear that the names aren't private and will leak.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Viking: Variable 3 or 4, becoming cyclonic 5 to 7, occasionally gale 8 later.
Rough, becoming very rough later. Rain at times. Moderate or good,
occasionally poor.