[dns-operations] Introducing DNSCrypt
Nicholas Suan
nsuan at nonexiste.net
Wed Dec 7 14:58:32 UTC 2011
On Wed, Dec 7, 2011 at 7:56 AM, Shane Kerr <shane at isc.org> wrote:
> Bill,
>
> On Tue, 2011-12-06 at 14:15 -0500, Bill Owens wrote:
>> On Tue, Dec 06, 2011 at 01:44:47PM -0500, Paul Wouters wrote: I
>> understand the risk of snoopable networks; I just don't see the benefit
>> of encrypted DNS traffic. I can have this sort of conversation:
>>
>> client -> RDNS DNS standard query A www.facebook.com
>> RDNS -> client DNS standard query response A 66.220.147.11
>> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
>> . . . etc
>>
>> Or I can have
>> client -> RDNS <some encrypted traffic>
>> RDNS -> client <some more encrypted traffic>
>> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
>> . . . etc
>>
>> Either way it's pretty clear what I'm doing, right?
>
> You can also have:
>
> client -> RDNS <some encrypted traffic>
> RNDS -> client <some more encrypted traffic>
> client -> 70.40.212.69 TCP 64997 > 443 [SYN] Seq=0
> . . . etc
>
> Where 70.40.212.69 is a big hosting site. Not perfect protection, but
> there is some value here.
>
> Encrypting the DNS query stream does add some value, IMHO.
>
I don't think that changes much, since SNI isn't supported by IE on
Windows XP, which still has ~40% of the browser market.
More information about the dns-operations
mailing list