Hi Mark, I'm thinking of bouncing queries between N resolvers, regardless of what transport protocol they choose to use. Because the path "client -> resolver -> auth" is easier to trace back than "client -> resolver -> (random bounces) -> auth". The only benefit of doing this is the anonymity nearing to that of an open resolver, without being... open for everyone, as the resolvers may be only open to each other / secured. Or do you mean the TCP connection that client possibly opens after name resolution? Then yes, this does not prevent eavesdropping between the client and the resolver.
On 28 August 2014 08:06, Mark Andrews <[email protected]> wrote: > > In message > <CACgotOQXxgzz3XvA7=g5xn-cvmumvsx31vqhywgvajpux7b...@mail.gmail.com> > , =?UTF-8?Q?Marek_Vavru=C5=A1a?= writes: >> Hi, I just wanted to chime in that I've read the >> draft-bortzmeyer-dnsop-dns-privacy, good stuff. >> One of my concerns regarding the privacy is - even with the encryption >> and minimization, there's still a lot of information available about >> the query resolution, like for example who's asking who, sizes of the >> query/response and such. I mean, for example if I'm asking a TLD and >> then a hosting company, it's a pretty good chance I'm looking for a >> name under that TLD and registered with that company. >> >> I wonder what are your thoughts about something like the onion routing >> in the DNS query resolution? Instead of asking the authoritative >> servers directly, you could give a small N of random bounces within a >> group of name servers, making the exit point (to some extent) random. >> This could work even for a partial solution of a query - for example >> when resolving multiple NS addresses at once. This presumes a >> relatively confident "last mile" between the query originator and the >> first bouncing resolver, and unfortunately brings additional costs (in >> terms of CPU and bandwidth) for processing bounced queries. >> >> Best, >> Marek Vavrusa (CZ.NIC) > > And the point of doing this when the next thing you do is open a > TCP connection to a server is or are you thinking that we should > be using tor for all connections all the time? > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
