Re: [perpass] DNS confidentiality
"Christian Huitema" <huitema@huitema.net> Wed, 13 November 2013 07:32 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3124B11E8117 for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 23:32:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.844
X-Spam-Level:
X-Spam-Status: No, score=-2.844 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZFTbuDEie-n for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 23:32:10 -0800 (PST)
Received: from xsmtp03.mail2web.com (xsmtp23.mail2web.com [168.144.250.186]) by ietfa.amsl.com (Postfix) with ESMTP id C0C4A11E8118 for <perpass@ietf.org>; Tue, 12 Nov 2013 23:32:01 -0800 (PST)
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp03.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1VgUt1-00057M-Tn for perpass@ietf.org; Wed, 13 Nov 2013 02:31:58 -0500
Received: (qmail 2911 invoked from network); 13 Nov 2013 07:29:14 -0000
Received: from unknown (HELO HUITEMA5) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <mellon@fugue.com>; 13 Nov 2013 07:29:14 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Yoav Nir' <ynir@checkpoint.com>, 'Ted Lemon' <mellon@fugue.com>
References: <20131111121027.GA31723@sources.org> <CEA6999F.25B2C%gwiley@verisign.com> <CA+9kkMDTYZ8tKnGigojWQDuDM3K0uPyoW2fesH1ueAFbTZMBrQ@mail.gmail.com> <CABkgnnVuX3bV1XMKsY1g6GOkZmhfxo=Zt9iUryt0wt+9K8tFkA@mail.gmail.com> <5282D6A3.5060205@cs.tcd.ie> <4AE06389-A46C-4F14-849E-62DC9FA7F128@fugue.com> <335D1A6F-A44C-444A-9379-7D03D873F543@checkpoint.com>
In-Reply-To: <335D1A6F-A44C-444A-9379-7D03D873F543@checkpoint.com>
Date: Tue, 12 Nov 2013 23:29:12 -0800
Message-ID: <01b501cee042$0dd836a0$2988a3e0$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHMMPQ/jT06VJ5UBicR1g/ghkW8WAJTDAK3Ah78sc0CYGISVALD7f2NAXR3BWsCDCTjUpm/ZUhQ
Content-Language: en-us
Cc: 'perpass' <perpass@ietf.org>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 07:32:40 -0000
> I'm one of those that made that argument. I do think we should fix this in TLS, but realistically, browsers are going to continue sending SNI in the > clear for at least another 10 years. Yes, we should fix this now, because whenever we start, that's when the 10-year countdown begins. The same is > true for any modification to DNS, except the timeframe is likely to be even longer. Even if TLS is not fixed, there is still value in improving DNS privacy. Stephane makes the point in his draft: What also makes the DNS traffic different is that it may take a different path than the communication between the initiator and the recipient. For instance, an eavesdropper may be unable to tap the wire between the initiator and the recipient but may have access to the wire going to the resolver, or to the authoritative name servers. Suppose that a host sends a query for "_bittorrent-tracker._tcp.domain.example.com." If it does not have a cached copy of the NS record for "example.com," the query will go the ".com" server. Because the query carries the entire QNAME, anyone who eavesdrop on the TLD server would learn that the host is attempting to contact a bit torrent server at "domain.example.com." They would learn that even if they are not able to eavesdrop on the direct path between the host and "domain.example.com." Now suppose that instead of sending a query with the full QNAME, the host just sends to the ".com" server a query for the NS record of "example.com." Once it receives the response, the host can send the full query directly to "ns.example.com." Clearly, that too can be eavesdropped, but only if the eavesdropper has a tap on the direct path between the client and the bit torrent server. And if it has such a tap, it will find anyhow that there is TCP-IP traffic between the host and the bittorrent server at "domain.example.com," which means that parsing the DNS query would not provide extra information. So we have here a simple way to prevent leakage of information. It can actually be implemented unilaterally by resolvers, and does not require a change in the DNS protocol. It does require that the resolver somehow learn the "zone cuts," but that is not impossible to learn. -- Christian Huitema
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell