Stephane Bortzmeyer wrote: > On Mon, Apr 20, 2015 at 09:57:06AM -0700, > Paul Hoffman <paul.hoff...@vpnc.org> wrote > a message of 98 lines which said: > > > >> Passive DNS -- A mechanism to collect large amounts of DNS data > > >> by storing queries and responses from recursive servers. > > > > > > Most passive DNS servcies collect only the responses, which is good > > > for privacy. > > > > Some passive DNS services collect the query too. Given the privacy > > issue you mention, we should make people aware of that. > > Passive DNS -- A mechanism to collect large amounts of DNS data by > storing responses from servers. Some of these systems also collect > queries, which can raise privacy issues.
When collecting "below the recursive" passive DNS data, both queries and responses can raise the same privacy issues, since the response usually contains a superset of the information in the query. "Above the recursive" (or "inter-server" in Florian Weimer's original paper), one could collect only responses, but unless queries are also collected and matched to the corresponding responses, the passive DNS system can be trivially poisoned by blindly spoofed responses. So, maybe query vs response is not the right distinction to make for "can raise privacy issues". Maybe "queries from recursive clients" would be better than plain "queries"? -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
