zlacker

[return to "Why does 1.1.1.1 not resolve archive.is?"]
1. ggm+N2[view] [source] 2019-10-04 06:10:48
>>stargr+(OP)
ECS is not equivalent to 'send the IP' but is revealing.

the fact that I subsequently connect to another place over HTTP or some other protocol is distinct from telling a DNS authority who is asking a question about a domain name: the article implies "its the same leakage" but it isn't: different people get told.

◧◩
2. cnst+53[view] [source] 2019-10-04 06:13:43
>>ggm+N2
What's the actual meaningful difference, though? ECS is limited to a /24 anyways, so, it doesn't even reveal the exact IP address in any case.
◧◩◪
3. vavrus+n4[view] [source] 2019-10-04 06:32:28
>>cnst+53
Disclaimer: I work on 1.1.1.1. You might not consider your /24 as personally identifying, but others might. The original RFC discusses these problems fairly well (https://tools.ietf.org/html/rfc7871, Privacy notice and privacy considerations). Frank Denis also wrote a good summary on ECS (https://00f.net/2013/08/07/edns-client-subnet/). There's a multitude of ways to fix this - use a whitelist of nameservers to send ECS to to avoid spraying the source prefix everywhere, encrypt the whitelisted connections, or aggregate the source prefix into a largest covering server scope (e.g. if the client is in /24 but nameserver serves the same answer for /16, then using any address in the /16 would do). We're evaluating all of them as there's different trade-offs (see https://blog.mozilla.org/futurereleases/2019/04/02/dns-over-...).
[go to top]