Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > You mention the risk coming from the resolver. That's why, IMHO, we > should recommend people to run a local resolver, as much as possible
If (big if) you trust the resolver then you have the advantage of hiding your iteratve queries in the aggregate behaviour of the resolver's other users, and if the connection to your resolver is encrypted it is relatively difficult for a snooper to work out what you are asking for. If you run the resolver locally then it becomes really easy to do traffic analysis on your DNS, because even if it is encrypted the attacker has your authoritative server addresses as well as the packet sizes to work with. So I don't think the trade-off is simple enough to make a blanket recommendation. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Lundy, Fastnet: South or southwest 3 or 4, occasionally 5 later. Slight or moderate. Occasional rain with fog patches, becoming fair. Moderate, occasionally very poor, becoming good. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy