On Jul 7, 2014, at 8:24 AM, John Kristoff <[email protected]> wrote: >> by implication, then, the remainder of possible problem statement >> material is "hide question from on-wire surveillance", there being no >> way to hide the questioner or the time. to further narrow this, the >> prospective on-wire surveillance has to be from third parties who are >> not also operators of on-path dns protocol agents, because any second >> party could be using on-wire surveillance as part of their logging >> solution, and by (2) above there is no way to hide from them. so we're >> left with "hide question from on-wire surveillance by third parties." > > This sounds like DNSCurve's approach.
One important observation: ONLY the path between the client and the recursive resolver in the classic model substantially benefits from channel security. Even if you wave a magic wand and all resolver<->authority communication becomes protected with 0-cost, 100% perfect data encryption, basic traffic analysis will largely be able to determine which domains are being looked up. Individual names within the domain are protected, but that is relatively minor. The other problem is DNS is used to guide endpoint communication. Between the resolver<->authority information leak, and the actual IP selected by the endpoint itself for communication, this allows a nation-state observer adversary to pretty much recover what the hostname was in question in many cases, and at least the domain in almost all cases. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
