[dns-operations] Everyone having their own resolver

Warren Kumari warren at kumari.net
Wed Feb 3 18:49:20 UTC 2016


There are also some privacy implications for everyone running their own
resolvers -- If / when DPRIVE becomes more deployed, you are likely to leak
a bunch more information if you run your own resolver and do not talk to a
caching recursive.

If you are doing DPRIVE, your answer may come (encrypted) from the cache,
and if not, hopefully a: the attacker is not in a place to observe both
incoming (encrypted) query and subsequent (currently not encrypted) cache
fill query, and b: if they can, may not be able to perform side-channel
attacks.
If you have your own, local recursive, a: currently your query would not be
encrypted (DPRIVE is not doing recursive to auth yet), and b: many
name-servers only serve a small number of zones - the fact that you are
contact ns1.example.com may leak what you are looking up (if ns1.example.com
only serves a small number of zones)

W


On Wed, Feb 3, 2016 at 1:31 PM Rick Wesson <rick at support-intelligence.com>
wrote:

> openDNS provides an API into their data that you could leverage to answer
> these and many other research questions. You should ask their CTO Dan
> Hubbard.
>
> -rick
>
>
> On Wed, Feb 3, 2016 at 9:20 AM, Paul Hoffman <phoffman at proper.com> wrote:
>
>> On 3 Feb 2016, at 7:41, Matthew Pounsett wrote:
>>
>> The existing infrastructure can probably handle it initially, sure .. but
>>> expect your domain registrations and DNS hosting to be an order of
>>> magnitude more expensive.   Much of the authoritative infrastructure has an
>>> overhead multiplier built into its capacity, where the multiplier is
>>> locally chosen based on the likelihood and impact of DDoS.  Some
>>> infrastructures are built to handle over 100x the “normal” traffic load.
>>>
>>> When the normal query rate sees an order (or two) magnitude jump, it
>>> eats away that extra capacity built into the system, and everyone has to
>>> scale up to get back their DDoS-eating overhead.
>>>
>>
>> These are interesting bold statements, and I've heard similar over the
>> past few years.
>>
>> Has anyone ever measured this? That is, there are a bunch of people on
>> this very mailing list who have access to the caches and possibly even the
>> query logs for Very Large Resolvers. It would be grand to see current
>> research (or at least a list of good recent research) on what percentage of
>> queries are for things in the long tail.
>>
>> --Paul Hoffman
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160203/8cf29764/attachment.html>


More information about the dns-operations mailing list