> On Jul 14, 2018, at 9:43 PM, Ben Schwartz > <[email protected]> wrote: > > For the record, I'm proposing something much _weaker_ than Tor: a TCP packet > forwarder relaying a DNS-over-TLS stream. It seems to me that this matches > Oblvious DNS's security components: a non-transforming element (TCP > forwarder, recursive resolver) to obscure the client IP, and then a > cryptographic element (DPRIVE resolver, Oblivious DNS resolver) to decrypt > the query without knowledge of the true source. >
Yes, absolutely, this is a lot closer to the guarantees we’re going for. You’ve captured the spirit and the design goals. :-) > I would be interested in understanding why the authors don't find this > sufficient, especially since (unlike Tor) it's compatible with deployed > DNS-over-TLS clients like Stubby. > > (I suspect they might object to the multi-query session semantics, or the > wide variety of TLS ClientHellos, but I don't actually know.) A reasonable idea, definitely. It strikes me that there will definitely be more overhead unless you’re pipelining queries on the connection, of course. We haven’t tried this, but I also wonder what happens to the TLS handshake if the IP address is rewritten through the forwarder. It does seem like a reasonable design alternative to consider and evaluate against. Are you here at the Hackathon today? We can/should chat a little bit. I’m sitting near the front. -Nick
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
