[dns-operations] Introducing DNSCrypt
Shane Kerr
shane at isc.org
Wed Dec 7 12:56:27 UTC 2011
Bill,
On Tue, 2011-12-06 at 14:15 -0500, Bill Owens wrote:
> On Tue, Dec 06, 2011 at 01:44:47PM -0500, Paul Wouters wrote: I
> understand the risk of snoopable networks; I just don't see the benefit
> of encrypted DNS traffic. I can have this sort of conversation:
>
> client -> RDNS DNS standard query A www.facebook.com
> RDNS -> client DNS standard query response A 66.220.147.11
> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
> . . . etc
>
> Or I can have
> client -> RDNS <some encrypted traffic>
> RDNS -> client <some more encrypted traffic>
> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
> . . . etc
>
> Either way it's pretty clear what I'm doing, right?
You can also have:
client -> RDNS <some encrypted traffic>
RNDS -> client <some more encrypted traffic>
client -> 70.40.212.69 TCP 64997 > 443 [SYN] Seq=0
. . . etc
Where 70.40.212.69 is a big hosting site. Not perfect protection, but
there is some value here.
Encrypting the DNS query stream does add some value, IMHO.
--
Shane
More information about the dns-operations
mailing list