zlacker

[parent] [thread] 2 comments
1. zzzcpa+(OP)[view] [source] 2019-10-04 14:33:51
> An eavesdropper can sit in front of the authoritative server for a site and eavesdrop on all the DNS queries with EDNS information.

No, they can sit near your 1.1.1.1 servers and catch all incoming and outgoing traffic, watching connections to your 1.1.1.1 servers that initiate DNS queries and actual outgoing queries that 1.1.1.1 makes to authoritative servers and responses too.

replies(1): >>jgraha+l1
2. jgraha+l1[view] [source] 2019-10-04 14:41:38
>>zzzcpa+(OP)
So if we're talking just about unencrypted DNS to 1.1.1.1 then you're assuming an entity capable of sitting in front of us in 194 cities worldwide.

vs

With EDNS sitting in front of the authoritative server of the site this actor is trying to monitor.

The latter is easier than the former.

replies(1): >>zzzcpa+02
◧◩
3. zzzcpa+02[view] [source] [discussion] 2019-10-04 14:45:27
>>jgraha+l1
In the latter case it's just as easy to catch real IP addresses by sitting in front of authoritative DNS servers and actual servers those DNS records point to. As I said, you just can't justify it as a privacy feature. It does nothing significant in any threat model.
[go to top]