On Thu, 2021-03-11 at 17:10 +0000, Simon Hobson wrote:
> Gabe Stanton via Dng <dng@???> wrote:
>
> > You're right that I didn't address the fact that queries to root
> > servers don't all go to one server. My understanding of that wasn't
> > firm when I was writing so I said 'upstream server'. But that would
> > be
> > a small hurdle to overcome if everyone started protecting their dns
> > queries by running a caching resolver, because of the financial
> > incentive for doing so. The collusion it would take to exploit all
> > exploitable data would be minimal.
>
> I beg to differ. It would need a great deal of collusion (at least
> for the root servers), involving a variety of entities from around
> the world - and it only takes one of them to blow the whistle. If
> anyone tied it, it would kick up quite a storm. At the very least, it
> is not something that could be done without anyone realising.

I'm not at all saying it would have to be done without anyone
realizing, and again, my point has always been in the case that
everyone runs their own resolver (caching or not). In that scenario, a
lot of things would change. And in that scenario, the obvious place to
go to get what data there is to be gotten, is upstream of the user,
same as it is now.

> > Those are great arguments for runnning a caching resolver, and of
> > course that's a good thing, but there are a couple cases I outlined
> > that potentially offer better privacy.
> > 1. Running your own recursive server where your dns requests are
> > pooled
> > with others.
> > 2. Pointing at a single resolver that doesn't keep logs and where
> > your
> > dns requests are pooled. Of course you never know what logs are
> > being
> > kept for sure, but if operators are honest and don't keep logs, and
> > if
> > they run doh, dot, or dnscrypt, then you have potentially better
> > privacy because of no logs and pooled requests.
>
> It occurred to me (after writing my previous message) that one option
> open to you is to get together with a few friends and share a
> resolver that's under your own control. You could turn off query
> logging and then know that there's no logs for anyone to look at. The
> difficult bit is getting enough people together who all trust each
> other such that you can pool enough queries as to make any data
> collected by others into useless noise.

Opennic is just an imperfect implementation of this exactly. I would
bet you anything that's exactly how it started out. And I bet there are
a core of people that know each other and trust each other, and I would
be willing to bet there are some interesting innovations within that
group to further increase privacy. It seems a natural enough evolution
of things.

> But also as mentioned earlier, none of this deals with the
> eavesdropper problem. Your ISP can look at all your DNS queries just
> by filtering out all port 53 traffic and copying it to their logging
> servers. I suspect in some jurisdictions that's done because "the
> authorities say so", and I'm sure that some will be doing it because
> the law doesn't stop them and it's something they can monetise. As
> Rick Moen says, the only defence against that is to deal with an ISP
> that isn't run by sleaze balls.

Oh so that's what he was talking about. Do they exist? Also, all you
can do is believe their claim not to be sleaze balls, unless, as you
mentioned about the dns situation, you know the operators of your
service all personally. Even then, as I mentioned, hacking is a
convenient excuse for unethical companies. If you had a contract that
allowed you to sue in the event of a security breach, that would
mitigate that risk some.

> And that problem was behind the development of DoH - which simply
> replaces one problem of trust with a different problem of trust !

Of course but that's a whole other argument, and in any case would
require collusion or a party to go to the cert issuer to get the cert
to decrypt the traffic.

Apparently there's even dns over ssh that looks interesting, but is not
perfect either, but it would seem to address the trust-model problems
with DoH.


Gabe