paul at cypherpunks.ca
Fri May 31 15:17:27 UTC 2013
On Fri, 31 May 2013, Ken A wrote:
> What is keeping nameserver vendors from building this into servers?
Whoever designs a security protocol with no crypto algility should take
up another hobby, something nice like gardening or star gazing.
On top of that, there is the question of usefulness. You send out an
encrypted DNS packet for www.secret.com. No one knows what you looked
up, just that you asked "some dns question". Next, they observe you
sending http/https traffic to IP address 126.96.36.199. Even if we assume
these present no cryptographic plaintext attacks for the remainder
of your crypto-dns session, there is really no need to break it. I
already know what you did. There are going to be what, upto 1000
vhosts on that IP address (but more likely 1 if you used TLS)
If you want remain anonymous, you should fire your DNS over a secure
connection into the TOR network (using dns over TCP), and then use
your TOR network for the http/https connection as well. Using today's
DNS standards and software implementations this is already possible.
More information about the dns-operations