[dns-operations] Embedding MAC address in DNS requests for selective filtering

bert hubert bert.hubert at powerdns.com
Sun Jan 31 11:03:49 UTC 2016

On Sun, Jan 31, 2016 at 10:39:08AM +0100, Stephane Bortzmeyer wrote:
> > We are in the process of supporting the use of this option through
> > open source efforts with dnsmasq at the CPE level and others. We
> > would be supportive of standardizing this mechanism.
> Before that, did anyone consider the privacy implications? A MAC
> address is a personal identifier. It seems extremely dangerous to leak
> it to the outside.
> Many people think that the NAT in the CPE router "hides" them from
> outside, it will no longer be true.

If this is done, I would highly recommend that it be done like this:

1) The CPE generates a random number (this by itself is already not easy)
2) It hashes the MAC address together with this random number to end up with
a locally persistent user identifier
3) All configuration is performed based on this locally unique but globally
anonymous string.

If we standardize it up, we might include words that mandate or urge an
implementor to do it this way. Mind you, the actual MAC address might be
'personally identifiable' and the hashed one not, so regulators might even
find a benefit in it.

But, even an obfucated MAC address suffices to sell user traffic data...

The other reason providers are now looking at this is that there is a real
demand for 'safe browsing', but not on a per-household basis.  Much as I
dislike the privacy implications, I've seen how this works and it is quite
neat. It would be great if providers pledged to do no marketing with it


More information about the dns-operations mailing list