Bernard Aboba wrote: >>> this is extremely narrow but i can envision activists and dissidents who >>> rightly fear for their safety based on this narrowly defined threat > > [BA] Presumably protection would only be from an attacker that can snoop on > the wire, but not have access to the logs?
yes. which i said explicitly: > by implication, then, the remainder of possible problem statement > material is "hide question from on-wire surveillance", there being no > way to hide the questioner or the time. to further narrow this, the > prospective on-wire surveillance has to be from third parties who are > not also operators of on-path dns protocol agents, because any second > party could be using on-wire surveillance as part of their logging > solution, and by (2) above there is no way to hide from them. so we're > left with "hide question from on-wire surveillance by third parties." so, to your question: > Is the assumption that the DNS server is hosted out of country, and that > measures are used to avoid identification of DNS traffic? I am trying to > understand the scenario in which this actually would have a plausible chance > of making a difference. there are two kinds of channel in dns queries. (i'm not going to account for updates or zone transfers here.) one channel is from the stub to the recursive. it's pointless to add secrecy to that unless a stub wants to use a very distant name server, like opendns or googledns, or as in your example, one in another country. however, these long stub/recursive paths do exist and are becoming more common, either to avoid poisoning by the local recursive operator (typosquatting and so on) or to avoid surveillance by the local recursive operator or to access poisoning by a distant local recursive operator (opendns for example is actually a security company, and they deliberately filter out dns results to known-dangerous locations, as a service.) the other channel is from the recursive to the authoritative. these transactions contain very little PII, since the IP address of the end-user is not present, and since cache re-use events are not present, only cache-miss events. however, this channel is frequently intercepted (see china's GFW) and frequently observed/logged. (my $DAYJOB does this kind of observation/logging, but only with the explicit permission of the recursive operator who must deliberately install our sensor software, and only with the implicit permission of their stub population, which we can't ourselves verify, but we require be attested.) secrecy on either of these channels is only rarely important, but in order to avoid exceptional appearance (standing out like a sore thumb) it's going to be necessary to make secrecy on both of these channels ubiquitous. vixie
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
