> Il 21 novembre 2018 alle 21.17 Christian Huitema <[email protected]> ha
> scritto:
>
> You make it sound like some aggressive attack, but it is a trade-off.
> The IETF is working to enhance the privacy of DNS users,
I'd argue the opposite - what the IETF is doing is in the overall reducing the
privacy of DNS users, by trading some more privacy in transport with much less
privacy due to more centralization of DNS resolution operations on a global
scale, and to an uncontrollable mess of applications each one starting to send
DNS queries to whatever server they like without the user having any practical
control mechanism, or even knowing what's happening.
> and the
> authenticity of DNS responses. Doing so inevitably affects the
> operations that relied on the lack of privacy or lack of security of DNS
> operations.
Well, no. Except for a few cases (e.g. transparent DNS proxying), DNS-based
security techniques do not rely on the "lack of privacy of DNS operations", and
the proof is that they would continue working perfectly well with DoT or DoH,
as long as the user continued to use the resolver on the local network.
Instead, DNS-based security techniques rely on the assumption that there will
be only one name server for all the applications on the user's device, and that
that server will be, at least by default, the one advertised by the local
network. This is the assumption that the IETF is disrupting, and that breaks a
lot of stuff that has full rights to exist and has nothing to do with invading
the user's privacy.
> Also, if you analyze the enterprise scenarios, you observe a need for
> both management and privacy. Enterprise managers would rather not see
> employees perusing frivolous web pages during work time, but they also
> don't want outside parties to analyze their web activities. Leaking DNS
> usage patterns to third parties can reveal work in progress, internal
> research, etc.
Which is exactly what happens if the enterprise's users start being
automatically connected to a DNS resolution service outside the local network
and managed by a third party, which is what DoH is doing.
Regards,
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
[email protected]
Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
