
DNS Query Privacy Revisited - zdw
https://blog.apnic.net/2020/09/11/dns-query-privacy-revisited/
======
vii
The title is a little confusing as DNS over HTTPS is the technology that comes
to mind for DNS privacy. That hides the DNS queries in an HTTPS tunnel, which
means fewer actors can see or spoof DNS results.

The QNAME minimisation technique described in the article is about showing
only partial requests to intermediate authorities in the DNS hierarchy. DNS
over HTTPS can protect the request until it gets to the resolver, and then the
QNAME minimisation system can hide it from interested intermediate DNS
authorities. I guess in practice this means the .com servers can't tell
whether someone is going to xxx.substack.com or yyy.substack.com just that
they're asking about substack.

As the article points out, most users ask a shared DNS resolver to perform
resolution for them, and if you want to, the Cloudflare public resolver
1.1.1.1 uses this technique.

------
octoberfranklin
> only one open DNS resolver — Hurricane Electric’s Open DNS service — has a
> 97% QNAME Minimisation ratio. The Open Resolver’s services that record
> ratios of between 50% and 70% raise a question as to what is happening here?

If this isn't a smoking gun I don't know what is.

HE is the only entity on that list with a non-0% ratio who is also a backbone
carrier -- i.e. their own routers have no 0.0.0.0/0 route.

Obviously there is tampering going on here; no sane DNS software includes an
"if (rand()) { do_qname_minimization_today(); }". And, obviously, the
tampering is happening at the carrier level. And you can bet the answer starts
with a "Century" and ends with "Link".

~~~
PostPlummer
Your answer baffles me.

From the blog I get the impression Geoff is not "raise a question as to what
is happening here" about HE's 97%, but more about all the others with >0% &
<97%.

Would you care to enlighten us with what you are implying?

~~~
salawat
If I'm grokking correctly, the poster is asserting that there are ISP
shenanigans going on due to the fact that measurements aren't coming in in a
binary nature. Either you support QNAME minimization, or you don't. If you
support it, but someone else in the recursive resolution chain doesn't, that
would explain <100% measurements, since they pass on more info than they
should be, and in theory there may be temporary reentrant loops due to poorly
managed BGP, which results in unminimized DNS queries being visible to the
measurer somehow.

The poster seems to think Century Link is involved in a fundamental way. Which
admittedly, given their track record with hosing large swathes of the Internet
these last couple years may not be unreasonable.

At least that was what I got out of it.

~~~
octoberfranklin
Yes, that's pretty much exactly what I was trying to say.

------
jlgaddis
> _... Cloudflare’s 1.1.1.1 service, Quad9, and the OpenDNS service resolve
> their queries using QNAME Minimisation._

However, the "most popularly used" open resolver, Google's Public DNS, "does
to not appear to support QNAME Minimisation".

Is anyone actually surprised by this, at all?

------
im3w1l
Bandwidth is pretty cheap. You could fetch the most common million host names
every 24h.

For longer tail stuff, you could use buckets. Cluster domains so only a few or
ideally a single buckets need to be fetched. But make sure every bucket has
multiple clusters.

"Give me the recipes and porn bucket please"

~~~
TekMol
If you have a trusted source for a million host names, you have a trusted
source for one hostname. So why would you have to download a million upfront
and not just the one you need?

~~~
salawat
Because there's a big difference between asking for the address of a Mall vs.
Asking for the address of the sex toy shop in the mall openly. Or the gun
store. Or the space the labor Union rented out in the building for a meeting.

Given that the Internet wasn't made with the concept of nosy people as a
adversary or threat, many adversaries have flocked to using the metadata as a
gold mine instead of just ignoring it and passing it along. Which is half the
reason it seems like we can't just have nice things.

