[dns-operations] Introducing DNSCrypt

[Jothan Frakes]

On Tue, Dec 6, 2011 at 9:44 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

>
> On Dec 7, 2011, at 11:48 AM, Jothan Frakes wrote:
>
> > Isn't that bot/c&c visibility just opaque on the local or other
> transport nets? seems like Opendns or the server providing encrypted
> responses would see it.
>
> The point is for access network operators to be able to see it.
>
>
Totally agree.  In many cases they may even be compelled by company policy
or even by law to do so.  This seems like encrypted endpoints would / could
obfuscate even DPI intervention on the local network.


> > In fact, this might provide a cental resolver a mode complete picture of
> bot/c&c activity levels, absent interventions.
>
> I don't see how encryption helps with that at all - quite the opposite.
>

In this case OpenDNS would seemingly have visibility to all the DNS
requests, so they see the bot/c&c activity there.


>
> > It could even be said that this might improve detection of activity that
> might otherwise be below an observeable threshold due to current
> interventions.
>
> The point of visibility is to *enable* intervention.
>

Yes (amen to that, too, especially some of those requiring immediate
attention).

My point, perhaps poorly articulated, was that 'local' intervention that
quashes some activity in many networks such that it is only seen in those
networks and not beyond or upstream.  There are many in the security realm
and antivirus, etc that use the heuristics and patterns of  activity to
sense bot/c&c activity in the wild.  They see some of it, but the local
intervention on some of the networks MAY eliminate visibility into it,
leave some malware activity statistically irrelevant below thresholds,
where the visibility to the raw activity might have been above thresholds.

:)

-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20111206/f9e06485/attachment.html>