[dns-operations] monetization of passive dns collection

Paul Vixie paul at redbarn.org
Fri Mar 29 16:56:31 UTC 2019

an unrelated topic but one near and dear to me was mentioned in passing.

David Conrad wrote on 2019-03-29 08:38:
> ...
> And to be clear, this isn’t a situation I’m happy with. It is, however, 
> a natural outcome of lying DNS servers, monetization of passive DNS 
> collection, pervasive surveillance, etc.

as a passive dns monetizer, i want to be clear, we are not in the 
surveillance business. unlike the so-called "public" dns providers, we 
do not see end-user IP addresses. our sensor operators send only cache 
miss traffic from servers whose operators have given express permission, 
which we then heavily filter and anonymize.

no output from our database fits the description of Personally 
Identifiable Information, and the total number of changes to our 
business practices as a result of GDPR was the null set. we were 
privacy-respecting for many years before edward snowden flew to hong 
kong and made his various "disclosures".

if anyone has any concerns about these practices, i welcome discussion, 
either here in public, or privately by e-mail or telephone or in person.

also note, my dns servers lie to my local client population about things 
like DGA C&C addresses, phishing servers, and other things i consider 
dangerous. this is called a DNS Firewall, and it's done with technology 
called Response Policy Zones (DNS RPZ), and it's free to implement or 
operate as a publisher or a subscriber, even though there aren't as many 
free "policy feeds" as i'd like.

anyone who doesn't like my DNS lies doesn't have to use my network, so 
we're even.

P Vixie

More information about the dns-operations mailing list