zlacker

[parent] [thread] 13 comments
1. wkat42+(OP)[view] [source] 2023-08-02 14:17:12
Maybe they need it to route the traffic to the right CDN? That kinda would make sense.

While I'm very privacy conscious, I don't really see the benefit to hiding my region in the DNS request. Because the very next step after the DNS is my browser making a request to their webserver, at which time they will have my actual complete IP anyway.

replies(3): >>philwe+X >>jrockw+q2 >>jeroen+o4
2. philwe+X[view] [source] 2023-08-02 14:21:33
>>wkat42+(OP)
This is actually addressed in the original HN comment the post links to (>>19828702 ):

> EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

replies(2): >>eastda+j3 >>wkat42+T4
3. jrockw+q2[view] [source] 2023-08-02 14:27:55
>>wkat42+(OP)
eastdakota's original comment covers this. The DNS request isn't encrypted, so anyone with control over the network (upstream ISPs via warrants) can use this information to figure out who is attempting to visit. ("Someone is resolving example.com" is less information than "someone in LA is resolving example.com") Meanwhile, the actual HTTPS connection leaks less information. If the website is hosted on a CDN or cloud provider, then someone monitoring the IP traffic only knows that you're visiting something hosted by that CDN. ("The target is visiting a Cloudflare-hosted site" is less information than "The target is visiting example.com") So, there is a slight information leak by sending the geolocation information.

On the other hand, it's possible this doesn't matter. The client might not encrypt the host it's trying to visit. Nation states can correlate packet timing. So if someone really wants to know, they'll probably figure it out. (This is always a risk with things like Tor. If the government is monitoring your connection and some target website's connection, and you are sending a lot of packets at the same time they're receiving a lot of packets, you can guess who is talking to who.)

replies(1): >>cortes+Cz
◧◩
4. eastda+j3[view] [source] [discussion] 2023-08-02 14:31:46
>>philwe+X
And today it’s over 250. And the only site I’m aware of that objects to us protecting user privacy by making EDNS more private is this one. ¯\_(ツ)_/¯
replies(2): >>mikeco+te >>dmvdou+Jr
5. jeroen+o4[view] [source] 2023-08-02 14:36:23
>>wkat42+(OP)
I've talked to some people working for the .nl TLD. They collect logs on DNS requests for every .nl domain to mine data about phishing websites and online scams. They're not using the EDNS information as far as I know (that would be very very illegal) and I don't know what the introduction of the GDPR has done to their research, but TLDs not limited by privacy laws such as American companies can do whatever they want.

It's not just the website's DNS server that received your subnet information; it's every single location in the chain of DNS resolvers. That includes TLD servers run by data mining companies. Does Verisign need to know that 2001:2345:6789::abcd is looking for news.ycombinator.com?

With caching in place these methods of data gathering aren't all-encompassing, but if you visit some new or uncommon domains you'll be more likely to become part of the dataset.

replies(1): >>Arnavi+KC
◧◩
6. wkat42+T4[view] [source] [discussion] 2023-08-02 14:37:58
>>philwe+X
Yeah but if the site standardized on EDNS to get this information, it's rather difficult to do something different just for Cloudflare.
replies(1): >>p1mrx+R7
◧◩◪
7. p1mrx+R7[view] [source] [discussion] 2023-08-02 14:51:57
>>wkat42+T4
edns-client-subnet only provides an IP address; the receiving CDN still needs to geolocate it.

So the main difference is that Cloudflare's servers need to be present in the IP geolocation database. Given their prevalence, they're probably in most of them already.

◧◩◪
8. mikeco+te[view] [source] [discussion] 2023-08-02 15:21:25
>>eastda+j3
"Protecting user privacy", from the largest MITM attackers on the internet, is laughable.
replies(1): >>freedo+sr
◧◩◪◨
9. freedo+sr[view] [source] [discussion] 2023-08-02 16:15:37
>>mikeco+te
> from the largest MITM attackers

If that were true, there's a lot of really stupid people throwing away their money by paying CF to hack them.

◧◩◪
10. dmvdou+Jr[view] [source] [discussion] 2023-08-02 16:16:28
>>eastda+j3
Right, the site full of nerds who think archive.is and co. is a cool toy. Dilemma! ;)
◧◩
11. cortes+Cz[view] [source] [discussion] 2023-08-02 16:50:33
>>jrockw+q2
> If the website is hosted on a CDN or cloud provider, then someone monitoring the IP traffic only knows that you're visiting something hosted by that CDN.

This isn't true, because the request leaks the hostname in the handshake via SNI:

https://en.wikipedia.org/wiki/Server_Name_Indication

replies(1): >>pigeon+xF
◧◩
12. Arnavi+KC[view] [source] [discussion] 2023-08-02 17:03:47
>>jeroen+o4
>Does Verisign need to know that 2001:2345:6789::abcd is looking for news.ycombinator.com?

Verizon wouldn't know that even with ECS, because ECS only needs to include the subnet prefix of the length that the client (Cloudflare's recursive resolver in this case) is willing to give out. There is no benefit and only harm to the client if it gives out the whole IP, and indeed it is called out as a bad idea in the ECS RFC.

◧◩◪
13. pigeon+xF[view] [source] [discussion] 2023-08-02 17:16:09
>>cortes+Cz
Encrypted SNI has been in the works for a long time: https://www.cloudflare.com/en-gb/learning/ssl/what-is-encryp...
replies(1): >>cortes+3s8
◧◩◪◨
14. cortes+3s8[view] [source] [discussion] 2023-08-04 18:17:19
>>pigeon+xF
Right, but it isn't standard yet still.
[go to top]