Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Coincidences are spiritual puns. -- G. K. Chesterton


rocksolid / Security / Re: Everyone's DNS requests logged in one easy place

SubjectAuthor
* Everyone's DNS requests logged in one easy placeAnonUser
`- Re: Everyone's DNS requests logged in one easy placeanon

1
Subject: Everyone's DNS requests logged in one easy place
From: AnonUser
Newsgroups: rocksolid.shared.security
Organization: RetroBBS
Date: Tue, 14 Aug 2018 11:19 UTC
Path: rocksolid2!.POSTED.retrobbs!not-for-mail
From: anonu...@retrobbs.rocksolidbbs.com.remove-pnw-this (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Everyone's DNS requests logged in one easy place
Date: Tue, 14 Aug 2018 04:19:14 -0700
Organization: RetroBBS
Message-ID: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: novabbs.com; posting-host="retrobbs:10.128.3.129";
logging-data="14353"; mail-complaints-to="usenet@novabbs.com"
To: rocksolid.shared.security
X-Comment-To: rocksolid.shared.security
X-FTN-PID: Synchronet 3.17a-Linux Feb 20 2018 GCC 6.3.0
X-Gateway: retrobbs.rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.108]
View all headers
  To: rocksolid.shared.security
From https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https

Mozilla to send all your browser DNS requests to Cloudflare

---------------
At Mozilla, we feel strongly that we have a responsibility to protect our users and their data. We’ve been working on fixing these vulnerabilities.

We are introducing two new features to fix this — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three threats here:

    You could end up using an untrustworthy resolver that tracks your requests, or tampers with responses from DNS servers.
    On-path routers can track or tamper in the same way.
    DNS servers can track your DNS requests.

the three threats—resolvers, on-path routers, and DNS servers

So how do we fix these?

    Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
    Protect against on-path eavesdropping and tampering using DNS over HTTPS.
    Transmit as little data as possible to protect users from deanonymization.

Avoid untrustworthy resolvers by using Trusted Recursive Resolver

Networks can get away with providing untrustworthy resolvers that steal your data or spoof DNS because very few users know the risks or how to protect themselves.

Even for users who do know the risks, it’s hard for an individual user to negotiate with their ISP or other entity to ensure that their DNS data is handled responsibly.

However, we’ve spent time studying these risks… and we have negotiating power. We worked hard to find a company to work with us to protect users’ DNS data. And we found one: Cloudflare.

Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.

With this, we have a resolver that we can trust to protect users’ privacy. This means Firefox can ignore the resolver that the network provides and just go straight to Cloudflare. With this trusted resolver in place, we don’t have to worry about rogue resolvers selling our users’ data or tricking our users with spoofed DNS.

Why are we picking one resolver? Cloudflare is as excited as we are about building a privacy-first DNS service. They worked with us to build a DoH resolution service that would serve our users well in a transparent way. They’ve been very open to adding user protections to the service, so we’re happy to be able to collaborate with them.

But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them.
Protect against on-path eavesdropping and tampering using DNS over HTTPS

The resolver isn’t the only threat, though. On-path routers can track and spoof DNS because they can see the contents of the DNS requests and responses. But the Internet already has technology for ensuring that on-path routers can’t eavesdrop like this. It’s the encryption that I talked about before.

By using HTTPS to exchange the DNS packets, we ensure that no one can spy on the DNS requests that our users are making.
Transmit as little data as possible to protect users from deanonymization

In addition to providing a trusted resolver which communicates using the DoH protocol, Cloudflare is working with us to make this even more secure.

Normally, a resolver would send the whole domain name to each server—to the Root DNS, the TLD name server, the second-level name server, etc. But Cloudflare will be doing something different. It will only send the part that is relevant to the DNS server it’s talking to at the moment. This is called QNAME minimization.

image showing resolver only asking the relevant question

The resolver will also often include the first 24 bits of your IP address in the request. This helps the DNS server know where you are and pick a CDN closer to you. But this information can be used by DNS servers to link different requests together.

Instead of doing this, Cloudflare will make the request from one of their own IP addresses near the user. This provides geolocation without tying it to a particular user. In addition to this, we’re looking into how we can enable even better, very fine-grained load balancing in a privacy-sensitive way.

Doing this — removing the irrelevant parts of the domain name and not including your IP address — means that DNS servers have much less data that they can collect about you.

------------------

"But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want"

Does this mean that you can only use DoH supporting resolvers? Can you configure to use your own resolver?

Chrome has been redirecting DNS requests to their own servers for quite a while (they perform a test on your resolver and if it fails, they use their own).

Why should we think Cloudflare is safe? It does bring a nice database of DNS requests all in one place to be searched through. Not sure that's an increase in security.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS


Subject: Re: Everyone's DNS requests logged in one easy place
From: anon
Newsgroups: rocksolid.shared.security
Organization: def4
Date: Tue, 14 Aug 2018 19:07 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: ano...@anon.com (anon)
Newsgroups: rocksolid.shared.security
Message-ID: <8f6d44560319c147d5f7e9f6f707c060@def4.com>
Subject: Re: Everyone's DNS requests logged in one easy place
Date: Tue, 14 Aug 2018 19:07:14+0000
Organization: def4
In-Reply-To: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
References: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
Why should we think Cloudflare is safe?

Indeed. Arent those the people pestering tor users with js captchas ?

Posted on def4.i2p


1
rocksolid light 0.7.2
clearneti2ptor