On Sun, Mar 8, 2015 at 7:48 PM, Christian Huitema <huit...@huitema.net> wrote:
> > What worries me is if we build a circular dependency into the stack. TLS > is layered on top of DNS at several points. The names used in TLS are DNS > names. > > Let's step back a minute. We are worried that TLS carries clear text that > may disclose the nature of the service. In the absence of such disclosure, > adversaries only know that the client is using "one of the many services > collocated at the IP address of this server." With the disclosure, > adversaries discover that the client is "using a private DNS resolver > service located at the IP address of the server." > > But then, look at what happen if we define a special purpose protocol, > different from TLS. Adversaries can presumably identify that this is "the > DPRIVE protocol." Thus, they can identify that the client is "using a > private DNS resolver service located at the IP address of the server." > > What kind of privacy would we gain? > The privacy concern DPRIV is trying to address is to prevent an adversary seeing the contents of DNS traffic or being able to deduce them from packet sizes, timing etc. That is a very different problem from stopping the attacker from being able to distinguish DNS traffic from HTTP. At the extreme, any client connecting to 8.8.8.8 is doing DNS... Now there are techniques that we can use to make the observation somewhat harder. But there we have stepped outside the 'stop pervasive monitoring' brief and we are trying to prevent pervasive censorship. That is an important problem but not one that we are focused on here. DNS client-resolver queries over TCP and TLS is going to be quite easy to identify as DNS traffic. The problem I have been concerned about in this thread is that if we assume DPRIV succeeds, we will still be leaking the DNS names through the SNI feature in HTTPS, i.e. HTTP-over-TLS. HTTPS privacy isn't the problem we are solving right now but DPRIV privacy isn't going to be worth very much if the information we are securing is then disclosed in the HTTP/HTTPS layer. So we have to solve DPRIV in a way that does not paint us into a corner when we try to solve the next puzzle.
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy