Stephane Bortzmeyer wrote:
> On Mon, Apr 20, 2015 at 09:57:06AM -0700,
>  Paul Hoffman <paul.hoff...@vpnc.org> wrote 
>  a message of 98 lines which said:
> 
> > >> Passive DNS -- A mechanism to collect large amounts of DNS data
> > >> by storing queries and responses from recursive servers.
> > > 
> > > Most passive DNS servcies collect only the responses, which is good
> > > for privacy.
> > 
> > Some passive DNS services collect the query too. Given the privacy
> > issue you mention, we should make people aware of that.
> 
> Passive DNS -- A mechanism to collect large amounts of DNS data by
> storing responses from servers. Some of these systems also collect
> queries, which can raise privacy issues.

When collecting "below the recursive" passive DNS data, both queries and
responses can raise the same privacy issues, since the response usually
contains a superset of the information in the query.  "Above the
recursive" (or "inter-server" in Florian Weimer's original paper), one
could collect only responses, but unless queries are also collected and
matched to the corresponding responses, the passive DNS system can be
trivially poisoned by blindly spoofed responses.

So, maybe query vs response is not the right distinction to make for
"can raise privacy issues".  Maybe "queries from recursive clients"
would be better than plain "queries"?

-- 
Robert Edmonds

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to