Stephane, On Tue, 30 Jun 2015 20:40:36 +0200 Stephane Bortzmeyer <[email protected]> wrote:
> I did not now this clever technique to evade censorship (may also be > used to evade detection if you want to access a site which is not > censored but may be objectionable, that's why I forward it here). > > Solves the old problem "but DNS and SNI will reveal the name of the > HTTPS site I visit" :-) > > https://petsymposium.org/2015/papers/03_Fifield.pdf Thanks! Very interesting indeed. This induced some wild thinking in me! Apologies for the somewhat rambling mail that follows. I do find it a bit scary that to circumvent censorship at the transport level a solution is to collect a lot of sites in shared IP addresses... improving ease of pervasive monitoring at the hosting level. :P Anyway... If I understand it, these techniques might be improved if there is a way to get DNS information via covert channels, and if there is a way to get information about "related" web services (services hosted on the same IP addresses). This dovetails nicely into the dns-privacy work I think. Certainly any encrypted DNS lookup channel could provide part of a solution. Another possibility is to somehow include "extra" information in replies. So, if NONBLOCKED.EXAMPLE is served by the same CDN as BLOCKED.EXAMPLE, a query for NONBLOCKED.EXAMPLE could return information in the additional section. ;; ANSWER SECTION: nonblocked.example. 600 IN A 192.0.2.13 nonblocked.example. 600 IN RRSIG ... ;; ADDITIONAL SECTION: blocked.example. 600 IN A 192.0.2.13 blocked.example. 600 IN RRSIG ... some-other.example. 600 IN A 192.0.2.13 some-other.example. 600 IN RRSIG ... ... I suppose it wouldn't scale so well with number of blocked sites, doesn't help if you are using someone else's resolver (which will strip the "unnecessary" information). We could perhaps work around this via an EDNS option - perhaps another motivation for the ability to perform multiple queries in a single message (one of my dreams). Of course, this might induce DPI operators to try to strip off additional section data in a clever way, or forbid any DNS other than sanctioned ones. Cheers, -- Shane _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
