Re: [perpass] DNS confidentiality

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Stephane,

On 09/29/2013 07:28 PM, Stephane Bortzmeyer wrote:
> On Fri, Sep 27, 2013 at 11:41:25AM -0700,
>  Karl Malbrain <malbrain@yahoo.com> wrote 
>  a message of 138 lines which said:
> 
>> I'm concerned about three DNS security problems:
> 
> You're not concerned about the fact that DNS servers (your resolver,
> and the authoritative name servers) get a lot of data and can misuse
> it? It seems to be that it is one of the main weaknesses of DNS, when
> it comes to confidentiality. A big public resolver, like OpenDNS or
> Google Public DNS (both located in PRISMland) can learn a lot of
> things about its users (this has been used often to detect malware,
> only from its DNS requests, but it could be used for more sinister
> purposes). A big TLD (say, for example, .com, also located in
> PRISMland) can also learn a lot.
> 
> And no amount of cryptographe between the client and this server will
> help.

Does that mean that there's scope for a BCP on ways of deploying
DNS that are more (or less) privacy friendly? While I guess a bunch
of n/w operators might not care, I'm pretty sure some would. (And
could perhaps get some competetive benefit from demonstrably caring
via following such a BCP.)

Additionally, if you're arguing that there's no useful role at all
for confidentiality in DNS then I think I'd argue that confidentiality
could well be useful, but that it won't by itself be sufficiently
useful to be worth deploying and so is only worthwhile in conjunction
with some already privacy-friendly deployment of DNS servers. Sound
wrong? Or right? If right, then maybe there's scope for some
experimental RFC(s) to go with that BCP.

Volunteers very welcome as usual:-) If you're one, just go write the
internet-draft and we'll catch up with you after you've posted a
link here.

Cheers,
S.


>