On Sat, Jul 14, 2018 at 8:30 PM Stephane Bortzmeyer <[email protected]> wrote:
> On Tue, Jul 03, 2018 at 06:18:51PM -0400, > Ben Schwartz <[email protected]> wrote > a message of 293 lines which said: > > > My main question for the authors is: how does this compare to > > routing a DNS-over-TLS socket through a TCP forwarder? > > Isn't it what Tor is doing? For the record, I'm proposing something much _weaker_ than Tor: a TCP packet forwarder relaying a DNS-over-TLS stream. It seems to me that this matches Oblvious DNS's security components: a non-transforming element (TCP forwarder, recursive resolver) to obscure the client IP, and then a cryptographic element (DPRIVE resolver, Oblivious DNS resolver) to decrypt the query without knowledge of the true source. I would be interested in understanding why the authors don't find this sufficient, especially since (unlike Tor) it's compatible with deployed DNS-over-TLS clients like Stubby. (I suspect they might object to the multi-query session semantics, or the wide variety of TLS ClientHellos, but I don't actually know.) > Reasons to use Tor: > > * well known and studied, privacy-wise > * there is even a public DoH resolver in .onion > <https://blog.cloudflare.com/welcome-hidden-resolver/> > > My first feeling about Oblivious DNS is that it looks like a > reinvention of Tor, specific to the DNS. > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
