Re: [perpass] DNS confidentiality

Wed, 25 Sep 2013 12:47:38 -0700 

I see.....
 
Then the difference in security is that once you are targetted individually, 
your connection meta-data are available for harvesting and something like tor 
is required.  But, if the monitoring is at the DNS server then encryption makes 
it impossible to determine who should be targetted next.
  

________________________________
 From: Paul Wouters <[email protected]>
To: Karl Malbrain <[email protected]> 
Cc: perpass <[email protected]>; Stephen Farrell <[email protected]> 
Sent: Wednesday, September 25, 2013 12:34 PM
Subject: Re: [perpass] DNS confidentiality
  

On Wed, 25 Sep 2013, Karl Malbrain wrote:

> On Tue, 24 Sep 2013, Karl Malbrain wrote:
> 
> >> To obviate the harvesting of meta-data, we do need a secure interface to 
> >> DNS.
> 
> >It might help but giving people urls that will trigger dns requests for
> >tracking is pretty easy. Only something like tor might safeguard against
> >that.
>  
> I'm not following you here.  Can you elaborate on the threat?  I was 
> referring to passive monitoring of DNS traffic by third parties who
> want to know what domains you are visiting.

A passive monitor can just wait and ignore your DNS and then see you
connect to IP a.b.c.d. They can easilly find what's hosted there. I
mean netcraft even runs a public website where you can ask for all the
vhosts running on a certain IP.

And if you're going to use tor to hide that, than your DNS should also
have gone via TCP on the tor network.

An active attacker trying to de-anonymise you could use specifically
crafted DNS queries to lure you into resolving something that only
exists to catch you.

I think of the DNS as one of the only required non-encrypted services to
kickstart encryption, but I agree that we could hide DNS better using
Opportunistic Encryption (IPsec based). You would still need some
unencrypted DNS to setup the IPsec to the DNS servers though.

What we don't need though is another dns-like protocol to do so. (and
definitely not dnscurve, as it does not support dns data authenticity,
only transport security)

Paul
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass

Reply via email to