[dns-operations] resolvers considered harmful
mallman at icir.org
Thu Oct 23 19:29:02 UTC 2014
> The biggest problem I have with this paper is of terminology.
No- I don't want every app to build in a resolver. Madness!
Think of it as a change under-the-hood to gethostbyname(). Same
interface to the applications. But, underneath it doesn't go query
whatever is in /etc/resolv.conf, but rather just walks the tree itself
(to the extent needed, based on the cache).
> Then, when it comes to privacy (the biggest problem with your
> proposal), I strongly disagree with the way you get rid of the
> problems by saying "we note that many users are willing to use open
> shared resolvers (e.g., Google DNS) and are therefore comfortable with
> directly attributable DNS requests arriving at a large third-party
> network". This is propaganda, not science. Users use Google Public DNS
> because their ISP's resolver is broken or slow, or because the ISP
> censors <http://www.bortzmeyer.org/dns-routing-hijack-turkey.html> or
> because the IP address is cool or simply because they feel that it's
> Google so it must be nice. They never perform an assessment of the
> analyze the tradeoffs. Most users (even most IT professionals) have no
> idea of the complex privacy issues associated with DNS.
I understand you have probably thought this through more than I have.
But, I have a couple of views here in addition to the above ...
- Ultimately you're going to take the results of a DNS transaction and
turn around and hit the given service with an application. So,
while I may have been some nebulous "someone at ICSI" during the
name lookup, once I make the TCP connection I am not so anonymous
That does not apply to all cases, of course. I.e., I ask Verisign
for google.com and then I TCP to Google and not Verisign. So, in
this case I could remain "someone at ICSI" to Verisign if I used the
- I think a rational way to look at this is the way we look at privacy
more generally. If you communicate with someone then they'll know
your IP. If you don't want that, take some explicit step to prevent
it (e.g., use Tor). We get an obfuscation from shared resolvers
now, but is that enough of a reason to keep them around?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 180 bytes
Desc: not available
More information about the dns-operations