

Google wants to see client addresses in DNS queries - dschobel
http://arstechnica.com/tech-policy/news/2010/01/google-wants-to-see-client-addresses-in-dns-queries.ars

======
dschobel
best quote in the piece:

It's too early to make guesses about the success of this effort at the IETF,
but Paul Vixie, well known as the original author of the BIND DNS software and
no less for his strong opinions, set the tone in a message to the IETF DNSEXT
mailing list. _"if we're going to add client identity to the query, can we do
so in a more general way? i'd like to know lat-long, country, isp, language,
and adult/child."_

~~~
jws
Is there really any privacy preserved by concealing the IP of a DNS query? The
next thing you are going to do is contact the resulting host (probably
controlled by the same people as the DNS server) with your IP in the sender IP
field.

I suppose one could imagine a situation where a user is using some sort of
anonymizer for their HTTP traffic, but not their DNS. DNS anonymizers are
trival. Just don't implement this feature, or I suspect your client resolver
code could prefill the RR with a bogus entry.

I've run my own DNS servers for years with the side effect that the
authoritative DNS servers and their slaves get to see my IP when I query. They
sky has not fallen.

~~~
mike-cardwell
"The next thing you are going to do is contact the resulting host"

Incorrect assumption. DNS pre-fetching. See:
[https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunder...](https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail)

------
kvs
I thought recursive resolvers are geographically local enough for caching web
services. I checked mine and it seems to be 4 hops away, 2 beyond our network
perimeter.

\24 is very intrusive and what about those who are behind ISP NATs. \24 may
not be as useful to Google.

~~~
aristus
For most people they are but you'd be surprised at how many basly-placed or
-configured resolvers there are out there.

Consider a nationwide ISP with resolvers on East coast and West coast. For
"failover" they assign them in random order to customers. That means 50% of
the time a customer of the ISP in Tampa will appear to be coming from a
resolver in San Jose.

------
tybris
Common view for CDNs. Identifying client locations by DNS resolver is really
inaccurate.

------
vkdelta
DNS purist will not like this. For many reasons ( other than CDNs, for e.g
SIP) source-based DNS routing seem to be needed now.

------
aristus
Vixie will not like this, for sure. Another way to do this is to use your HTTP
and DNS logs to "triangulate" seen user IPs with seen resolver IPs. It's
surprising how many DNS resolvers are ill-placed with regards to their
clients.

------
kierank
I've heard stories about "unofficial arrangements" that some CDNs are
purported to use in order to see client addresses. No idea if it's true
though.

