[dns-operations] Embedding MAC address in DNS requests for selective filtering

Ralf Weber dns at fl1ger.de
Wed Jan 27 17:01:37 UTC 2016


Moin!

On 25 Jan 2016, at 16:36, bert hubert wrote:
> We have heard of implementations where 'per-device DNS filtering' is 
> being
> offered, even behind NAT.  So this means you might get parental 
> filtering on
> your kids' iPads, but not on your own desktop.
>
> This is then probably implemented by the home router (CPE) appending 
> the MAC
> address to queries, presumably over EDNS.  The ISP nameserver can then
> conditionally filter queries or not, based on customer IP and client 
> MAC
> address.
>
> In the interest of interoperability, could those parties that are
> implementing this functionality please speak up how they are doing it? 
> I
> know you are on this list.
A number of vendors (both CPE and DNS vendors), including Nominum, have
considered using mechanisms of this sort to provide applications based 
upon
DNS traffic.  We don’t recommend overloading existing opcodes such as 
the
one used for NSID ( https://tools.ietf.org/html/rfc5001). We use EDNS0 
option
code 0xFE31 (65073 decimal), and its value is implementation specific
although in our current work, we have used the IEEE 802 48-bit MAC 
address of
the originating DNS client in 17-octet downcased colon-separated hex 
textual
form, e.g.: 12:34:56:78:90:ab.

We are in the process of supporting the use of this option through open 
source
efforts with dnsmasq at the CPE level and others. We would be supportive 
of
standardizing this mechanism.

So long
-Ralf



More information about the dns-operations mailing list