<div dir="ltr"><div><br></div><div>There are also some privacy implications for everyone running their own resolvers -- If / when DPRIVE becomes more deployed, you are likely to leak a bunch more information if you run your own resolver and do not talk to a caching recursive.</div><div><br></div><div>If you are doing DPRIVE, your answer may come (encrypted) from the cache, and if not, hopefully a: the attacker is not in a place to observe both incoming (encrypted) query and subsequent (currently not encrypted) cache fill query, and b: if they can, may not be able to perform side-channel attacks.</div><div>If you have your own, local recursive, a: currently your query would not be encrypted (DPRIVE is not doing recursive to auth yet), and b: many name-servers only serve a small number of zones - the fact that you are contact <a href="http://ns1.example.com">ns1.example.com</a> may leak what you are looking up (if <a href="http://ns1.example.com">ns1.example.com</a> only serves a small number of zones)</div><div><br></div><div>W</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Feb 3, 2016 at 1:31 PM Rick Wesson <<a href="mailto:rick@support-intelligence.com">rick@support-intelligence.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">openDNS provides an API into their data that you could leverage to answer these and many other research questions. You should ask their CTO Dan Hubbard.</div></div><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace"><br></div><div class="gmail_default" style="font-family:courier new,monospace">-rick</div><div class="gmail_default" style="font-family:courier new,monospace"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 3, 2016 at 9:20 AM, Paul Hoffman <span dir="ltr"><<a href="mailto:phoffman@proper.com" target="_blank">phoffman@proper.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 3 Feb 2016, at 7:41, Matthew Pounsett wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The existing infrastructure can probably handle it initially, sure .. but expect your domain registrations and DNS hosting to be an order of magnitude more expensive. Much of the authoritative infrastructure has an overhead multiplier built into its capacity, where the multiplier is locally chosen based on the likelihood and impact of DDoS. Some infrastructures are built to handle over 100x the “normal” traffic load.<br>
<br>
When the normal query rate sees an order (or two) magnitude jump, it eats away that extra capacity built into the system, and everyone has to scale up to get back their DDoS-eating overhead.<br>
</blockquote>
<br>
These are interesting bold statements, and I've heard similar over the past few years.<br>
<br>
Has anyone ever measured this? That is, there are a bunch of people on this very mailing list who have access to the caches and possibly even the query logs for Very Large Resolvers. It would be grand to see current research (or at least a list of good recent research) on what percentage of queries are for things in the long tail.<span><font color="#888888"><br>
<br>
--Paul Hoffman<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-jobs mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></font></span></blockquote></div><br></div>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-jobs mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></blockquote></div>