mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-12-26 05:02:37 +01:00
n/dns.md: to ecs or not to ecs?
This commit is contained in:
parent
54b913a028
commit
6c6d95c63d
42
n/dns.md
42
n/dns.md
@ -15,7 +15,8 @@ _For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
|
||||
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
|
||||
|
||||
- [Identifying DNS resolver](#identifying-dns-resolver)
|
||||
- [Identifying support for client-subnet](#identifying-support-for-client-subnet)
|
||||
- [To ECS or not to ECS?](#to-ecs-or-not-to-ecs)
|
||||
- [Identifying support for client-subnet](#identifying-support-for-client-subnet)
|
||||
- [Mobile applications](#mobile-applications)
|
||||
- [Android](#android)
|
||||
- [Rethink](#rethink)
|
||||
@ -34,7 +35,44 @@ _For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
|
||||
|
||||
The above list is based on [redirect2me/which-dns README alternatives section](https://github.com/redirect2me/which-dns/blob/main/README.md)
|
||||
|
||||
## Identifying support for client-subnet
|
||||
## To ECS or not to ECS?
|
||||
|
||||
[_Understanding the Privacy Implications of ECS_](https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf)
|
||||
brings up two bigger issues EDNS client-subnet:
|
||||
|
||||
- Authoritative nameserver is given part of the subnet, which can be
|
||||
personally identifiable and as the connection between recursor and
|
||||
authoritative is unencrypted, anyone between them can observe all the
|
||||
queries.
|
||||
- Think of VPNs where traffic within the VPN is encrypted, but it won't
|
||||
magically encrypt plain traffic leaving it.
|
||||
- Anyone between the recursive and authoritative nameservers can perform cache
|
||||
poisoning attack and give it a narrow target. With short TTL, it may be
|
||||
impossible to audit afterwards. Only DNSSEC can protect from this, but
|
||||
DNSSEC signing isn't used that widely.
|
||||
|
||||
These issues bring additional questions:
|
||||
|
||||
- Do you care?
|
||||
- If you run open wireless network and offer everyone ECS nameserver such as
|
||||
Google DNS through DHCP while using manually configured encrypted DNS by
|
||||
yourself, is there any cause for concern? You can always say it was
|
||||
someone using your open network? Or if this is a multi-user system like
|
||||
VPS running titlefetcher bot or Matrix homeserver, who knows who triggered
|
||||
the original queries and where?
|
||||
- How much does getting local content matter to you? More or less than
|
||||
increased resource use of contacting a server further away? Is private ECS
|
||||
an option? ([r/resolv.tsv](/r/resolv.tsv))
|
||||
- What is the impact of domains you visit being surveilled?
|
||||
- This page mentions cases like FFUpdater where the surveillance would
|
||||
reveal that I interact with github.com and other sites it downloads apk
|
||||
files from, which hardly matters, but how about you?
|
||||
- What is the impact of cache poisoning tailored to you?
|
||||
- Everything is encrypted and TLS certificates wouldn't match so would you
|
||||
continue to the wrong site regardless of the prompt, or decide something
|
||||
is wrong and try again later. How about your users?
|
||||
|
||||
### Identifying support for client-subnet
|
||||
|
||||
Or what is being sent to the authoritative servers.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user