[talk] Vixie meeting

George Rosamond george at ceetonetechnology.com
Wed Feb 26 15:45:14 EST 2020

On 2/26/20 3:30 PM, Raul Cuza wrote:
> On Wed, Feb 26, 2020 at 3:12 PM Charles Sprickman <spork at bway.net> wrote:
>>>> On Feb 26, 2020, at 8:26 AM, George Rosamond <george at ceetonetechnology.com> wrote:
>>>> On 2/25/20 11:19 AM, George Rosamond wrote:
>>>>> As some of you may know, the Vixie meeting next week should raise some
>>>>> interesting issues with DoH and DoT... basically DNS lookups encrypted
>>>>> over https or tls instead of clear text over UDP.
>>>>> The issue is a bit more complex than it seems on the surface.
>>>>> Most broadly, of course DNS lookups should be encrypted, but what's
>>>>> disturbing is that US FF will be set to go to Cloudflare, who obviously
>>>>> know this is a wonderful data-mining opportunity.
>>>>> The whole issue of "privacy" gets distorted too easily.  Yes, you should
>>>>> have privacy in DNS lookups, but sending encrypted lookups to one
>>>>> provider is a recipe for privacy from "the other" while centralizing a
>>>>> few huge collectors of that data.
>>>>> Yes, more providers should be running DOT servers, but that in itself
>>>>> isn't the answer.
>>>>> This link raises the issue, but misses the dangerous implications of DOH:
>>>>> https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/
>>>> This paper is an example of how centralizing DNS lookups is dangerous in
>>>> more "outlier" cases with more sophisticated adversaries on the Tor
>>>> network for anyone interested in diving deeper (the cached PDF version
>>>> should work):
>>>> https://www.freehaven.net/anonbib/#dnstor-ndss2017
>> If I were writing some dystopian sci-fi novel, Cloudflare would be an NSA-run
>> front for data collection and general spying. “Hey, HTTPS is hard! Just send
>> all your encrypted web traffic to our endpoints!”, “Hey, those dastardly ISPs
>> are snooping your DNS, why not point all your DNS lookups to us! (please
>> ignore ways your ISP can figure out where you’re going via looking at your
>> destination IPs)”.
>> Please, nobody show me stats on what percentage of web traffic that’s not
>> the top 100 sites goes through Cloudflare…
>> C
> but all the destination IPs belong to Cloudflare.


The entire sci-fi genre is based on predictions about the future, not
observations about today!

It's actually interesting to think that years ago, Tor Browser's obvious
weakness was dns lookups, which were unencrypted plain text.  That was a
long time ago.  Then they created a resolver that I wanted to work with
mickey@ (RIP.. it was his bday the other day..) to make portable.

And now DNS lookups are a hot commodity.

Another path is that more providers start running DOT DNS... a long
path, but definitely necessary.


More information about the talk mailing list