[dns-operations] Introducing DNSCrypt
John Kristoff
jtk at cymru.com
Tue Dec 6 18:47:20 UTC 2011
On Tue, 6 Dec 2011 12:57:48 -0500
Bill Owens <owens at nysernet.org> wrote:
> I'm having difficulty understanding the value of encrypting one's DNS
> query stream. It doesn't provide any meaningful privacy improvement,
> and I can't see what else it would do.
From be for me to be a spokesperson for OpenDNS, so from a neutral 3rd
party, I can see how might protect the privacy of a OpenDNS client
from the the network(s) the DNS messages traverse. This may also help
mitigate "silly DNS tricks" the network providers may attempt to put in
place otherwise.
However, from the network perspective, this is also problematic,
since you cannot now easily analyze or mitigate problems they suspect
in the DNS communications path without disrupting it entirely or
enlisting the help of OpenDNS directly.
> I think that I understand the specific motivations for OpenDNS to
> deploy their current project; I don't think those motivations are
> generally applicable, since they depend on the particular business
> model used by OpenDNS. And I don't see any benefit to encryption in
> their use case, either. Am I missing something?
Note also that David said it "strives" for UDP, which may imply that
it will try to route around "damage" by using TCP, alternate ports,
alternate resolvers or whatever, much like Skype might do to function
properly. I think what you find here is that encryption is just one
small piece of what OpenDNS is bringing to the market.
If I could offer one suggestion publicly, it would for OpenDNS to talk
about lessons learned and share some insights about deployment at an
upcoming event or submit an academic paper to one of the appropriate
places.
John
More information about the dns-operations
mailing list