IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

Karl Malbrain <malbrain@yahoo.com> Wed, 25 September 2013 19:47 UTC

Return-Path: <malbrain@yahoo.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C1021F958A for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 12:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.458
X-Spam-Level:
X-Spam-Status: No, score=-2.458 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4GXxwLtNsvy for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 12:47:08 -0700 (PDT)
Received: from nm5-vm0.bullet.mail.bf1.yahoo.com (nm5-vm0.bullet.mail.bf1.yahoo.com [98.139.213.150]) by ietfa.amsl.com (Postfix) with ESMTP id 3F5A621F9371 for <perpass@ietf.org>; Wed, 25 Sep 2013 12:47:08 -0700 (PDT)
Received: from [98.139.215.140] by nm5.bullet.mail.bf1.yahoo.com with NNFMP; 25 Sep 2013 19:47:06 -0000
Received: from [98.139.212.203] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 25 Sep 2013 19:47:06 -0000
Received: from [127.0.0.1] by omp1012.mail.bf1.yahoo.com with NNFMP; 25 Sep 2013 19:47:06 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 890688.16985.bm@omp1012.mail.bf1.yahoo.com
Received: (qmail 18271 invoked by uid 60001); 25 Sep 2013 19:47:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1380138426; bh=LT9tSBvlGa1bvqET2UaXJnoiwg0XMOS5pubkpRUVA94=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=rdIZbSyCUWiJOMaTYPxsNoFwztUDnsIkJDTeqD+EmfLQkAPfkqij/nmbin7Vl3czK5ypAdQSOjckFqVMrhIDIGTvpwgJad7EB6hd7s0mw8XZL7rlDh5e47nweftWbCfIElbc7S+4XnzonIxX2XTQourlRdGVQ5jko9jz5QDxmto=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=j0rjyFsBKUzzHIW3sEp8L4oKAi0pCxzjLaN2anSAthoSyl5RAIGUuVkeNifdSWCE67d9dlDjeW1lasRl63EJxWJMbUHmdCNHxYIDGknwgnKyCrcPFP/5WAtFuYxkD3ObDfNFY4puLGeIMRuDdY8Sb/p6Ux9HOtKQCGkM3dnum84=;
X-YMail-OSG: OoB6skkVM1kWWJqgJOfhDQJX5ycwd0N1.VK6b4l.fimNsY7 99UInrwnQs02EGGzJoLNdCELDhsnFoSDm6CamTZokjDISnA9HSuCn5s8VI5p qmEsWeJktOBtnCMqdc4L.7PETZnKW90r3YMJwKfnDZvHc0KCcEhHNVu256f1 vC8WS7HldTrp0PEPni4ApHJI3Cv23uMSVdvlcOVMk.FYXdwyfpUHUM1bAtvZ EibslX9m2cSDjMzb8T9wUmPa15r6KNWcdHwECxARQmxM5RKk7lbdHuBrw.Mm kHxc6hW7ZbColoXSwKhqb7_usrEnCTswNO6CFeu8lbIGTBwbkYjuWEW8rDft WK3asMsvxEiVs9vjRe5hOaCxDxjAzpcb5p5R.AO6GVIVqF8qaA1CDBm1Wi6t nFW03hiyuHvyXstemwhhpDNDbCiEBnuQv8W15OXH0l7tLeZHd26.2xlDwKXR oYD5tFkxHGgZca9NaRVSuFxNzh6ZqwUNi_yMV.ifYBI5w18F06QOYLJ_KvJv IOzJlZhk_sCbXILDpXu16Kuj7DSOnEKhA6yBjw4REVAQw_FHFCGKCVKjTvwo 1Qt9r0ik2Ht296RvUR56cU.3hhM2M7ZzDqlk_pQ--
Received: from [50.201.233.2] by web125503.mail.ne1.yahoo.com via HTTP; Wed, 25 Sep 2013 12:47:06 PDT
X-Rocket-MIMEInfo: 002.001, SSBzZWUuLi4uLgrCoApUaGVuIHRoZSBkaWZmZXJlbmNlIGluIHNlY3VyaXR5IGlzIHRoYXQgb25jZSB5b3UgYXJlIHRhcmdldHRlZCBpbmRpdmlkdWFsbHksIHlvdXLCoGNvbm5lY3Rpb24gbWV0YS1kYXRhwqBhcmXCoGF2YWlsYWJsZSBmb3IgaGFydmVzdGluZyBhbmQgc29tZXRoaW5nIGxpa2UgdG9yIGlzIHJlcXVpcmVkLsKgIEJ1dCwgaWYgdGhlIG1vbml0b3JpbmcgaXMgYXQgdGhlIEROUyBzZXJ2ZXIgdGhlbiBlbmNyeXB0aW9uIG1ha2VzIGl0IGltcG9zc2libGUgdG8gZGV0ZXJtaW5lIHdobyBzaG91bGQBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.157.561
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309241708090.11401@bofh.nohats.ca> <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca>
Message-ID: <1380138426.6956.YahooMailNeo@web125503.mail.ne1.yahoo.com>
Date: Wed, 25 Sep 2013 12:47:06 -0700
From: Karl Malbrain <malbrain@yahoo.com>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-2005986409-2138097647-1380138426=:6956"
Cc: perpass <perpass@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Karl Malbrain <malbrain@yahoo.com>
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 19:47:15 -0000

I see.....
 
Then the difference in security is that once you are targetted individually, your connection meta-data are available for harvesting and something like tor is required.  But, if the monitoring is at the DNS server then encryption makes it impossible to determine who should be targetted next.
  

________________________________
 From: Paul Wouters <paul@cypherpunks.ca>
To: Karl Malbrain <malbrain@yahoo.com> 
Cc: perpass <perpass@ietf.org>; Stephen Farrell <stephen.farrell@cs.tcd.ie> 
Sent: Wednesday, September 25, 2013 12:34 PM
Subject: Re: [perpass] DNS confidentiality
  

On Wed, 25 Sep 2013, Karl Malbrain wrote:

> On Tue, 24 Sep 2013, Karl Malbrain wrote:
> 
> >> To obviate the harvesting of meta-data, we do need a secure interface to DNS.
> 
> >It might help but giving people urls that will trigger dns requests for
> >tracking is pretty easy. Only something like tor might safeguard against
> >that.
>  
> I'm not following you here.  Can you elaborate on the threat?  I was referring to passive monitoring of DNS traffic by third parties who
> want to know what domains you are visiting.

A passive monitor can just wait and ignore your DNS and then see you
connect to IP a.b.c.d. They can easilly find what's hosted there. I
mean netcraft even runs a public website where you can ask for all the
vhosts running on a certain IP.

And if you're going to use tor to hide that, than your DNS should also
have gone via TCP on the tor network.

An active attacker trying to de-anonymise you could use specifically
crafted DNS queries to lure you into resolving something that only
exists to catch you.

I think of the DNS as one of the only required non-encrypted services to
kickstart encryption, but I agree that we could hide DNS better using
Opportunistic Encryption (IPsec based). You would still need some
unencrypted DNS to setup the IPsec to the DNS servers though.

What we don't need though is another dns-like protocol to do so. (and
definitely not dnscurve, as it does not support dns data authenticity,
only transport security)

Paul

v2.23.0 | Report a Bug | By Email