Re: [perpass] DNS confidentiality
Paul Wouters <paul@cypherpunks.ca> Wed, 25 September 2013 19:34 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF6411E80EC for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 12:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level:
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38TEt0rOG2qt for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 12:34:44 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7DB21F9B10 for <perpass@ietf.org>; Wed, 25 Sep 2013 12:34:41 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3clTx94V3SzC3Q; Wed, 25 Sep 2013 15:34:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id NTxvUGo2l6dg; Wed, 25 Sep 2013 15:34:36 -0400 (EDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Wed, 25 Sep 2013 15:34:36 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 5E6E68009E; Wed, 25 Sep 2013 15:34:32 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4096E8002E; Wed, 25 Sep 2013 15:34:32 -0400 (EDT)
Date: Wed, 25 Sep 2013 15:34:32 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Karl Malbrain <malbrain@yahoo.com>
In-Reply-To: <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com>
Message-ID: <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca>
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309241708090.11401@bofh.nohats.ca> <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: perpass <perpass@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 19:34:50 -0000
On Wed, 25 Sep 2013, Karl Malbrain wrote: > On Tue, 24 Sep 2013, Karl Malbrain wrote: > > >> To obviate the harvesting of meta-data, we do need a secure interface to DNS. > > >It might help but giving people urls that will trigger dns requests for > >tracking is pretty easy. Only something like tor might safeguard against > >that. > > I'm not following you here. Can you elaborate on the threat? I was referring to passive monitoring of DNS traffic by third parties who > want to know what domains you are visiting. A passive monitor can just wait and ignore your DNS and then see you connect to IP a.b.c.d. They can easilly find what's hosted there. I mean netcraft even runs a public website where you can ask for all the vhosts running on a certain IP. And if you're going to use tor to hide that, than your DNS should also have gone via TCP on the tor network. An active attacker trying to de-anonymise you could use specifically crafted DNS queries to lure you into resolving something that only exists to catch you. I think of the DNS as one of the only required non-encrypted services to kickstart encryption, but I agree that we could hide DNS better using Opportunistic Encryption (IPsec based). You would still need some unencrypted DNS to setup the IPsec to the DNS servers though. What we don't need though is another dns-like protocol to do so. (and definitely not dnscurve, as it does not support dns data authenticity, only transport security) Paul
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell