On Tue, Apr 10, 2018 at 6:05 AM, Tony Finch <[email protected]> wrote: > Willem Toorop <[email protected]> wrote: > > > > ODNS queries could be nested. I.e. > > > > {{{www.foo.bar}k.odns.google.com}k.odns.quad9.net}k.odns.cloudflare.com > > OnionDNS :-) >
Yeah, that would make it look increasingly more like Tor, so why don't we just use that instead! :-) In a sense, I would be pleased to see a new I-D in this general area. Privacy protection against recursive DNS operators is an area that has been largely ignored in IETF work. But assuming clients also want privacy from authoritative servers, I don't see a good solution other than real anonymity networks. To continue on that trajectory though, perhaps a logical next step might be to propose that authoritative DNS operators run one or more nodes as Tor hidden services (and advertise one or more corresponding onion addresses in their NS sets). That would take care of the additional leak of DNS queries via exit nodes. A very powerful adversary could still try to compromise the network by operating enough guard and middle nodes and hoping their targets end up using them to build Tor circuits -- but they could still only identify the endpoints and not the queries. Some mainstream services (Facebook, New York Times, Duckduckgo, etc) have already deployed onion services. Maybe DNS operators are next .. -- Shumon Huque
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
