On Mon, Apr 9, 2018 at 1:53 PM, Christian Huitema <[email protected]> wrote:
> At first sight, it seems that this moves the logging hole from the DNS > recursive to the ODNS recursive, and that's a meh. > > Also, instead of using a complicated tunneling through the recursive > resolver via name obfuscation, why not establish a secure connection to the > ODNS server in the first place? > Because then the DNS client has exposed its network layer identity to the ODNS server. By sending an encrypted query to the ODNS server, via the recursive server, the client has allowed the ODNS server to resolve the name on its behalf without the ODNS server knowing which end system this name resolution is being performed for. The ODNS server can still easily collude with recursive server operators to unmask the clients though, so I'm not sure how much privacy we've really gained. At some point, it may be reasonable to ask why aren't clients funneling their queries through a real anonymity network instead, like Tor, or better. -- Shumon Huque
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
