Op 09-04-18 om 20:16 schreef Bill Woodcock: >> On Apr 9, 2018, at 10:59 AM, Shumon Huque <[email protected]> wrote: >> The ODNS server can still easily collude with recursive server operators to >> unmask the clients though, so I'm not sure how much privacy we've really >> gained. At some point, it may be reasonable to ask why aren't clients >> funneling their queries through a real anonymity network instead, like Tor, >> or better. > > Because Tor has exactly the same problem, but the intelligence agencies > already have a ten-year head-start in setting up entry/exit nodes? > > Still, I’m with Shumon on this… It seems like a reasonable thing to do, but > it only works as long as the entry and exit nodes are not affiliated… If it > provided any major privacy benefit, folks who wanted to deanonymize the > traffic would just pay what it cost to set up both entry and exit nodes, and > you’ll be right back in the jam that Tor is in. So, I’m happy to support it, > but it’s a layer of defense-in-depth, not a stand-alone solution.
ODNS queries could be nested. I.e.
{{{www.foo.bar}k.odns.google.com}k.odns.quad9.net}k.odns.cloudflare.com
You need only one honest, trust-worthy ODNS server to get the privacy
guarantee.
Also, if all the ODNS servers in the nested list would be anycasted,
performance penalty might be quite reasonable. Something for the
current serious anycasted Private DNS providers to consider perhaps.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
