On Wed, 25 Sep 2013, Karl Malbrain wrote:
On Tue, 24 Sep 2013, Karl Malbrain wrote:
>> To obviate the harvesting of meta-data, we do need a secure interface to DNS.
>It might help but giving people urls that will trigger dns requests for
>tracking is pretty easy. Only something like tor might safeguard against
>that.
I'm not following you here. Can you elaborate on the threat? I was referring
to passive monitoring of DNS traffic by third parties who
want to know what domains you are visiting.
A passive monitor can just wait and ignore your DNS and then see you
connect to IP a.b.c.d. They can easilly find what's hosted there. I
mean netcraft even runs a public website where you can ask for all the
vhosts running on a certain IP.
And if you're going to use tor to hide that, than your DNS should also
have gone via TCP on the tor network.
An active attacker trying to de-anonymise you could use specifically
crafted DNS queries to lure you into resolving something that only
exists to catch you.
I think of the DNS as one of the only required non-encrypted services to
kickstart encryption, but I agree that we could hide DNS better using
Opportunistic Encryption (IPsec based). You would still need some
unencrypted DNS to setup the IPsec to the DNS servers though.
What we don't need though is another dns-like protocol to do so. (and
definitely not dnscurve, as it does not support dns data authenticity,
only transport security)
Paul
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
