Autor: Gabe Stanton Datum: To: dng Betreff: Re: [DNG] Opennic
On Wed, 2021-03-10 at 20:04 -0800, Rick Moen wrote: > Quoting Gabe Stanton via Dng (dng@???):
>
> > Of course using a local (or controlled by you) caching dns resolver
> > ENHANCES privacy.
>
> You really should have stopped there.
>
> > That's not even a question and doesn't represent a
> > real argument against the likelihood that, in the case of everyone
> > running their own caching resolver, that second level nameservers
> > would
> > end up being a very good source of info to match dns requests to ip
> > addresses, to be exploited just as any other big dns provider is
> > likely
> > to do.
>
> Again, I get the impression, to be blunt, that you don't have a
> realistic understanding of how typical patterns of authoritative
> nameservice data and caching work. Spend some time logging and
> studying your recursive nameserver's traffic to TLD nameservers given
> caching and try to estimate how revealing that data is. Rick, feel free to stop reading and feel free to not respond. That's
your right, it's all up to you from here. If you read on and respond, I
don't want to hear anything more about wasting anyone's time. If you
want to respond with something snarky just keep it to yourself.
Domain name + requesting IP address, that's all I need to know to have
valuable data.
I'll be blunt as well. I think this argument is a strawman because you
lumped opennic in with other dns providers and dismissed them, and I
called out the differences. Did you not know that they also encourage
people to run their own nameservers? You did not go in depth in your
dismissal, I went in depth in my rebuttal and you haven't done anything
to rebut my arguments but make vague comments and be insulting.
I take the view that if everyone ran their own caching resolver or
otherwise stopped using the big dns providers, that those people would
do anything they can do get that data. That's not hard to understand or
imagine I'm sure.
> You seem to think "very revealing". In which case, plainly there is
> no
> basis for further discussion, and I wish you good luck in your
> further
> endeavours.
> > I'm open to any information you have [...]
>
> Nope.
>
> You'll need to chew up someone else's time.
Hahaha you can read or not. You can respond or not. I don't control
your time, as you mention below. So stop complaining about how you
spend your own time.
> > You made a case for another possibly good alternative for dns
> > providers
> > as oppposed to opennic
>
> That's not what I said.
Uh okay. Here's the quote. If you weren't talking about a hypothetical
alternative dns provider here, then I'm not the only one here that's
confused.
"Ideally, one has a contractual relationship with a reputable good
provider who looks after customer interests in accordance to local
business practices and law, such as (to cite the USA local legal
concept) the implied covenant of good faith and fair
dealing. However,
that contract concept is (naturally) not a shield for privacy but
rather
a cudgel to wield in civil litigation, so the best thing to do is to
limit what your immediate uplink can learn about your network traffic.
Various crypto schemes help limit that data, but -- my point -- so
does
operating a local recursive nameserver, rather than outsourcing to
-anyone- on the other side of the uplink."
> > ...but I didn't hear any rebuttal to any of my
> > arguments in their favor.
>
> I'm sorry, but (1) I don't work for you, and (2) I clarified tnat
> _all_ I said was that outsourcing recursive DNS to OpenNIC recursive
> servers was a bad idea for the same reason outsourcing it to anyone
> else
> is.
>
> You ignored that,
You lumped opennic in with cisco, google, and various others is what
you did. I didn't ignore it, I chose to defend opennic and point out
why they'r different, and I pointed out that they encourage people to
run their own servers. I made good and valid points. And you setup a
strawman in response and are now complaining about wasting time.
> and are now wasting your time and mine. I am ending
> that.
Again, you control what you do. Take responsibility for it.
> > So, here are the good points about opennic.
>
> Irrelevant to what I said. You lumped them in with others who are entirely different, and I
pointed out how they're different and better, and you ignore everything
good I said about them.
> Which fact you are ignoring, and thus
> wasting my and everyone else's time. I am ending (at least) the
> former. Totally agree, trying to explain to you the difference between opennic
and other dns providers was a waste of time. And apparently, trying to
convince you that running a caching dns resolver isn't a long-term
privacy guarantee, is also a waste of time.