Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so.
Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses. Currently there is no internet draft nor RFC covering this subject as far as I/we are aware, but that will be the next step for us from here. We'll probably get yelled at by the DNS purists because we hacked it together and cheated a little in the process, but again our intent wasn't to do anything more than a proof of concept to prove that it could be done. We haven't designed the system to be ENUM specific and it should be usable for any DNS although it is possibly not the best way to do things and we want further discussions on this topic. So far there is a dig replacement that does DNS types that e164.org supports, an AGI ENUM lookup script, and a FreePBX patch: http://www.e164.org/wiki/DNS_Encryption Although after contemplating over the AGI script a FastAGI daemon seemed like a better solution for a number of reasons, since you could track and use which ever name server gave faster responses, disabling IPv6 after the first attempt failed, although the IPv6 code isn't 100% correct in any case and needs a little TLC. While this goes one step further in protecting your privacy, or your companies privacy, anyone using any VoIP solution for that matter that doesn't have opportunistic encryption will always be vulnerable to virtually any script kiddie able to get themselves in the flow of your packets, although rumour has it the next version of Asterisk is supposed to support SIPS/SRTP apparently. There is a bug/patch #5413 for asterisk, for SRTP but its pretty hit and miss at times if it will even compile. Although, SIPS isn't the same thing as MIKEY which is what the linksys/sipura etc phones/devices support so round and round it goes. -- Best regards, Duane http://www.freeauth.org - Enterprise Two Factor Authentication http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Global Communication for the 21st Century "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
