On Tue, Apr 10, 2018 at 6:05 AM, Tony Finch <d...@dotat.at> wrote:

> Willem Toorop <wil...@nlnetlabs.nl> wrote:
> >
> > ODNS queries could be nested.  I.e.
> >
> > {{{www.foo.bar}k.odns.google.com}k.odns.quad9.net}k.odns.cloudflare.com
> OnionDNS :-)

Yeah, that would make it look increasingly more like Tor, so why don't we
just use that instead! :-)

In a sense, I would be pleased to see a new I-D in this general area.
Privacy protection against recursive DNS operators is an area that has been
largely ignored in IETF work. But assuming clients also want privacy from
authoritative servers, I don't see a good solution other than real
anonymity networks.

To continue on that trajectory though, perhaps a logical next step might be
to propose that authoritative DNS operators run one or more nodes as Tor
hidden services (and advertise one or more corresponding onion addresses in
their NS sets). That would take care of the additional leak of DNS queries
via exit nodes. A very powerful adversary could still try to compromise the
network by operating enough guard and middle nodes and hoping their targets
end up using them to build Tor circuits -- but they could still only
identify the endpoints and not the queries. Some mainstream services
(Facebook, New York Times, Duckduckgo, etc) have already deployed onion
services. Maybe DNS operators are next ..

Shumon Huque
dns-privacy mailing list

Reply via email to