Summary: * I attempt to explain passive dns (I am not an expert) * passive DNS is very useful in combating abuse of the DNS * the passive DNS architecture would likely require adjustment to conform to confidentiality goals
I believe that many members of this discussion do not understand passive DNS. I am NOT an expert on this topic, and call upon people from Farsight and ISC (or elsewhere) to correct what I say and/or provide better details. Passive DNS (pDNS) is a voluntary mechanism in which organisations can choose to send their DNS query data to a trusted repository. The data collected there is then made available in bulk (or with some filtering) to subscribing organisations. The data submitted removes information about the system making the query (the client) and passes that information in aggregate to preserve the privacy of the clients, Nonetheless, if that information is sent in the clear (I believe that it is -- experts please correct) it exposes information about the domains being queried by the community of clients that use the resolver. pDNS provides a historically searchable picture of DNS-land. It is an excellent source for following fast-flux botnets and other adversaries which utilise the DNS system for criminal or other illegitimate purposes. Providing confidential query transactions to any part of the DNS system would NOT prevent resolvers from recording the transactions or aggregating / anonymising them to deliver passive DNS information. (i.e the resolver must have the client and query details in the clear or it can't do its work). However, to meet the targets of confidentiality it may require a re-architecture of the mechanism by which those transaction details are delivered to the trusted repository, and possibly other mechanisms within the pDNS ecosystem. Here is an 'old' link which provides more information. https://www.isc.org/blogs/join-the-global-passive-dns-pdns-network-today-gain-effective-tools-to-fight-against-cyber-crime/ I apologise ahead of time for inaccuracies. Regards, Hugo Connery > On Wed, Oct 22, 2014 at 01:08:46PM -0700, > Paul Ferguson <[email protected]> wrote > a message of 200 lines which said: > > the scheme breaks things like passive DNS collection. > > It is already known (draft-bortzmeyer-dnsop-dns-privacy-02.txt, > sections 2.5 and 3) and, as Phillip Hallam-Baker noticed, it may be > seen as a feature, not a bug. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
