I'm glad this is coming to DPRIVE. My main question for the authors is: how does this compare to routing a DNS-over-TLS socket through a TCP forwarder? It seems to me that a TCP forwarder (operated by a separate party from the DNS-over-TLS recursive) would offer a similar level of privacy protection as ODNS, but with off-the-shelf software and at lower CPU cost (better amortization of public-key operations).
On Tue, Jul 3, 2018 at 5:39 PM Allison Mankin <[email protected]> wrote: > DPRIVE-ites, > > Please take a look at a new individual internet-draft we will introduce at > the Montreal DPRIVE meeting, targeted eventually for Experimental. > > Its novelty is that it meets a strong privacy goal: that no single party > should be able to associate DNS queries with a client IP address that > issues those queries. We are looking forward to all comments and reviews > both in email in and in person. > > Thanks! > > Nick and Allison for the authors > > > >> A new version of I-D, draft-annee-dprive-oblivious-dns-00.txt >> has been successfully submitted by Allison Mankin and posted to the >> IETF repository. >> >> Name: draft-annee-dprive-oblivious-dns >> Revision: 00 >> Title: Oblivious DNS - Strong Privacy for DNS Queries >> Document date: 2018-07-02 >> Group: Individual Submission >> Pages: 11 >> URL: >> https://www.ietf.org/internet-drafts/draft-annee-dprive-oblivious-dns-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-annee-dprive-oblivious-dns/ >> Htmlized: >> https://tools.ietf.org/html/draft-annee-dprive-oblivious-dns-00 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-annee-dprive-oblivious-dns >> >> >> Abstract: >> Recognizing the privacy vulnerabilities associated with DNS queries, >> a number of standards have been developed and services deployed that >> that encrypt a user's DNS queries to the recursive resolver and thus >> obscure them from some network observers and from the user's Internet >> service provider. However, these systems merely transfer trust to a >> third party. We argue that no single party should be able to >> associate DNS queries with a client IP address that issues those >> queries. To this end, this document specifies Oblivious DNS (ODNS), >> which introduces an additional layer of obfuscation between clients >> and their queries. To accomplish this, ODNS uses its own >> authoritative namespace; the authoritative servers for the ODNS >> namespace act as recursive resolvers for the DNS queries that they >> receive, but they never see the IP addresses for the clients that >> initiated these queries. The ODNS experimental protocol is >> compatible with existing DNS infrastructure. >> > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
