zlacker

[parent] [thread] 3 comments
1. cortes+(OP)[view] [source] 2021-09-11 21:38:34
It isn’t the actual IP, it is the subnet. Leaks some info, but unless you own the entire subnet it won’t give up your identity.

https://en.wikipedia.org/wiki/EDNS_Client_Subnet

replies(1): >>judge2+Y3
2. judge2+Y3[view] [source] 2021-09-11 22:10:58
>>cortes+(OP)
The entire point of ECS is to give the location, not the actual origin IP, which might be something you'd like to avoid giving away. The main point is that every resolver or network switch in the chain gets the ECS and would be able to combine it with the domain being requested. If you don't only visit Facebook/Google, your ipv4 /24 in combination with some obscure domain only you visit is very likely to give up your identity should an IX or resolver be watching for requests to such domain.
replies(2): >>cortes+B8 >>silisi+ha
◧◩
3. cortes+B8[view] [source] [discussion] 2021-09-11 22:49:02
>>judge2+Y3
Sure, that is true. However, the person I responded to said that EDNS would give the authoritative server your IP address, which isn't true.
◧◩
4. silisi+ha[view] [source] [discussion] 2021-09-11 23:04:14
>>judge2+Y3
I understand that point, to an extent. I mean, your TCP connection in the next step hits how many switches on the way? With which both your actual IP therefore location could be determined. Trying to hide subnet from just a resolver seems...small in the grand scheme.

And if that's your goal, why not proxy your dns requests? I'd surely have a VPN or at least DNS proxy if my threat model were that which you're trying to avoid.

[go to top]