Re: [swinog] Google DNS on Salt Mobile
> On Nov 1, 2018, at 12:45 AM, Gregor Riepl wrote: > >> Quad9 collects: >> >> - Aggregate count of IPv4 queries per site > . >> - Aggregate count of queries matching each blocked domain per site, for >> queries which are directed to the malware-filtering addresses. >> >> In the future, Quad9 may also count aggregate number of queries matching >> blocked domains by origin AS, but there’s no active project to implement >> that. > > As any other centralised service, a DNS resolver will implicitly collect… The word “collect” is generally understood to mean “record” or “retain” and I’ve used it in that sense. By intention and design, neither of those are true for Quad9, with respect to any PII. No PII is recorded or retained, except in the sense that the source IP address of any query is used to address the reply. > …and pass on any traffic that goes through it. No, that’s false. Please read RFCs 7816 and 7871. Quad9 implements the former and not the latter, in order to minimize the leakage of data from end-user to authoritative server. Moreover, that’s only an issue with zones for which PCH is not authoritative. For all those for which PCH is authoritative, no queries pass “through” to anywhere else. Again, if, after acquainting yourself with Quad9’s practices and the relevant RFCs, you see any way in which Quad9 could provide better privacy or security protections to users, they would VERY MUCH LIKE YOUR CONSTRUCTIVE INPUT, as that’s the entire point. It’s an open and transparent community project, to serve the community. > Integrity is a bigger issue and there are many examples where it is actively > being violated - this is at least partially addressed by DNSSEC. Which is why Quad9 was the first global anycast resolver to implement DNSSEC validation, and why PCH is the only DNSSEC operator besides ICANN to implement FIPS 140-2 Level 4 security. > The question is what happens with the data. Only if “the data” is collected in the first place, and I regard doing so as a failure. If data is collected, it will inevitably be breached or disclosed. The only defense against this is to not collect data in the first place. Which, again, is the entire point of Quad9. >> While you’re right, that has no bearing, since the labels aren’t being >> collected. > > In the end, this is a question of who you trust and who you don’t. Exactly. The reasonable thing to do is to operate your own RFC 7816-compliant caching resolver at your border, and use a recursive resolver with policies that match your self-interest. And that’s what ~95% of Quad9’s users do, to the best of their understanding. Which is admittedly/purposely/by-design a limited understanding, since there’s no institutionalized concept of a “user.” However, since it’s a community, there’s a lot of discussion and mutual support and exchange of anecdotal information. And during the pilot (November 2016-November 2017) there was active interaction with the pilot users. > My initial complaint was more directed at the fact that an ISP is > delivering data about a customer's habits to the one of the biggest service > providers on the planet on a silver platter, and without their customer's > consent to boot. > That's not ok. Completely agreed. Unfortunately, nearly all large ISPs and many small ones are doing this, though usually not in as obvious a fashion as you observed. Most outsource operation of “their” resolvers to companies which monetize on the back end, without changing the IP address. -Bill signature.asc Description: Message signed with OpenPGP ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
> On Oct 29, 2018, at 11:38 PM, Jeroen Massar wrote: > > On 2018-10-30 00:25, Bill Woodcock wrote: >>> On Oct 29, 2018, at 1:16 AM, Gregor Riepl wrote: >>> It seems like Salt is no longer supplying their own DNS servers when >>> establishing an LTE connection. Instead, the network responds with Google >>> DNS >>> servers (8.8.8.8 8.8.4.4). >>> I'd rather not send all my DNS requests to Google. >>> Perhaps it's time to switch to private resolvers everywhere, if not even >>> ISPs >>> are providing that service any more… >> For what it’s worth, there’s a Quad9 server cluster in Zurich, and >> unlike Google, Quad9 is GDPR-compliant. As someone will certainly >> point out, it’s also subject to US law, but is a public-benefit >> not-for-profit corporation, and US law doesn’t compel an organization >> to turn over data which isn’t collected in the first place. And Quad9 >> is GDPR-compliant because it doesn’t collect source IP addresses in >> the first place. > > How can something be "GDPR compliant" when no consent is given at all? By not collecting any PII. > Have you layered HTTP on top of DNS to provide a 20-pager of legalise that > nobody can be bothered to read as it will change at a moment's notice? No. > Stating "it doesn’t collect source IP addresses" means "but we collect > everything else”. That’s an obviously false statement, and doesn’t usefully contribute to the conversation. Quad9 collects: - Aggregate count of IPv4 queries per site - Aggregate count of IPv6 queries per site - Aggregate count of UDP queries per site - Aggregate count of TCP queries per site - Aggregate count of TLS queries per site - Aggregate count of HTTPS queries per site - Aggregate count of DNScrypt queries per site - Aggregate count of queries matching each blocked domain per site, for queries which are directed to the malware-filtering addresses. In the future, Quad9 may also count aggregate number of queries matching blocked domains by origin AS, but there’s no active project to implement that. If you see a privacy problem with any of that, please tell them. Or tell me, and I’ll pass it along. The entire purpose is to improve privacy and security. If they’re not actually doing that, they’re failing, and there’s no point in doing it if it’s failing. > IP addresses, especially sources, sometimes also appear in the label, simply > because some weird CDNs/ISPs will encode the source IP for 'geo-dns' or > 'loadbalancing' reasons in the label. While you’re right, that has no bearing, since the labels aren’t being collected. > Are you stripping those? Or do you mean RFC 7816? Yes. I believe it may not be entirely rolled out in production yet, but that may have gotten finished while I wasn’t looking. > And then there are RBLs, and reverse-IPs in general. Do you filter those? Can you ask the question more explicitly? I don’t understand it as stated. > There are many reasons why so many of the public DNS resolvers popped up: one > of them is the amount of data that can be extracted from it. Exactly. And in Quad9’s case the reason is because privacy regulators were looking for an exemplar to use in their argument that collection of PII wasn’t a business requirement for operating a DNS resolver. > Please stop centralizing this Internet thing…. To the best of my knowledge, I’ve spent the past thirty years doing the opposite. If you have some reason to believe otherwise, please bring it to my attention. -Bill signature.asc Description: Message signed with OpenPGP ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
On 2018-10-30 00:25, Bill Woodcock wrote: On Oct 29, 2018, at 1:16 AM, Gregor Riepl wrote: It seems like Salt is no longer supplying their own DNS servers when establishing an LTE connection. Instead, the network responds with Google DNS servers (8.8.8.8 8.8.4.4). I'd rather not send all my DNS requests to Google. Perhaps it's time to switch to private resolvers everywhere, if not even ISPs are providing that service any more… For what it’s worth, there’s a Quad9 server cluster in Zurich, and unlike Google, Quad9 is GDPR-compliant. As someone will certainly point out, it’s also subject to US law, but is a public-benefit not-for-profit corporation, and US law doesn’t compel an organization to turn over data which isn’t collected in the first place. And Quad9 is GDPR-compliant because it doesn’t collect source IP addresses in the first place. How can something be "GDPR compliant" when no consent is given at all? (or have you layered HTTP on top of DNS to provide a 20-pager of legalise that nobody can be bothered to read as it will change at a moment's notice?). Stating "it doesn’t collect source IP addresses" means "but we collect everything else". Likely doing Passive DNS style things at minimum. IP addresses, especially sources, sometimes also appear in the label, simply because some weird CDNs/ISPs will encode the source IP for 'geo-dns' or 'loadbalancing' reasons in the label. Are you stripping those? And then there are RBLs, and reverse-IPs in general. Do you filter those? or do you track those IP Addresses anyway, as that exposes the other side of the connection There are many reasons why so many of the public DNS resolvers popped up: one of them is the amount of data that can be extracted from it. Even if it is just the weird domains people look at (and then crawl those, as they where not known yet), or statistics like "in that ASN people look at Netflix, but less at Youtube". Please stop centralizing this Internet thing Greets, Jeroen And yes, we recommend anyone who has the capacity to do so run their own resolver rather than using _any_ external resolver. Something like 95% of Quad9’s users are behind their own caching resolvers. -Bill ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
> On Oct 29, 2018, at 1:16 AM, Gregor Riepl wrote: > It seems like Salt is no longer supplying their own DNS servers when > establishing an LTE connection. Instead, the network responds with Google DNS > servers (8.8.8.8 8.8.4.4). > I'd rather not send all my DNS requests to Google. > Perhaps it's time to switch to private resolvers everywhere, if not even ISPs > are providing that service any more… For what it’s worth, there’s a Quad9 server cluster in Zurich, and unlike Google, Quad9 is GDPR-compliant. As someone will certainly point out, it’s also subject to US law, but is a public-benefit not-for-profit corporation, and US law doesn’t compel an organization to turn over data which isn’t collected in the first place. And Quad9 is GDPR-compliant because it doesn’t collect source IP addresses in the first place. And yes, we recommend anyone who has the capacity to do so run their own resolver rather than using _any_ external resolver. Something like 95% of Quad9’s users are behind their own caching resolvers. -Bill signature.asc Description: Message signed with OpenPGP ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
>> It seems like Salt is no longer supplying their own DNS servers when >> establishing an LTE connection. Instead, the network responds with Google DNS >> servers (8.8.8.8 8.8.4.4). > > They seem to use a mix of Google Public DNS and own resolvers. You are right; the list of servers is somewhat randomised and contains more than two entries. Since my local resolver library only supports two DNS servers at once, I simply wasn't seeing Salt's own DNS server for a while. Still, I don't think it's very nice to push Google DNS to clients. signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
Hello Greg, > It seems like Salt is no longer supplying their own DNS servers when > establishing an LTE connection. Instead, the network responds with Google DNS > servers (8.8.8.8 8.8.4.4). They seem to use a mix of Google Public DNS and own resolvers. I noticed this a year ago as well: https://twitter.com/seckle_ch/status/935547795066572800 Measurements from Apnic about DNSSEC validation rate for end users of Salt and use of Google Public DNS does not show a clear trend: https://stats.labs.apnic.net/dnssec/AS15796?c=CH=0=30=1 Daniel ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Google DNS on Salt Mobile
Hello.I have read salt has today a Internet problem. When salt now use google Dns. I think they have a Dns Problem.I think this is now as workarround.Greetings XaverVon meinem Samsung Galaxy Smartphone gesendet. Ursprüngliche Nachricht Von: Gregor Riepl Datum: 29.10.18 09:16 (GMT+01:00) An: swi...@swinog.ch Betreff: [swinog] Google DNS on Salt Mobile Hi,It seems like Salt is no longer supplying their own DNS servers whenestablishing an LTE connection. Instead, the network responds with Google DNSservers (8.8.8.8 8.8.4.4).Is there a particular reason for that?I'd rather not send all my DNS requests to Google.Perhaps it's time to switch to private resolvers everywhere, if not even ISPsare providing that service any more...Thanks for any info.Greg___swinog mailing listswinog@lists.swinog.chhttp://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
