Re: DNS and trust in general

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: DNS and trust in general

@lbutlr
On 2018-04-02 (19:26 MDT), gastropod <[hidden email]> wrote:
>
> To use the internet at all, you have to use a DNS server.  The day is long gone that you can keep a list on a piece of paper and IP numbers rarely changed. Logging DNS traffic doesn't gain someone a lot, but serving out the wrong IPs certainly can.

Even keeping IP addresses will not help. most sites are hosted on an IP that servers many sites, and the only way to get to the right one wis by using the domain name. For example, my web server is a single machine, but it hosts many websites. You can only reach one by the IP address.

--
If we get through this alive I'll meet you next week same place same
time




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: DNS and trust in general

Rodney

> On Apr 3, 2018, at 03:26, gastropod <[hidden email]> wrote:
>
> You have to trust someone, or else crawl into a cave.

Yep. Even if you get a VPN, you have to trust the VPN provider.

> Logging DNS traffic doesn't gain someone a lot, …

All it gets someone is the fact that IP address a.b.c.d resolved some-domain.whatever into an IP address. That’s not overly useful, because of the system with address a.b.c.d then proceeds to access some-domain.whatever, then the system that was accessed will know that a.b.c.d accessed it.

> … but serving out the wrong IPs certainly can.

Yep. And even if the DNS server doesn’t serve up the wrong address, it has been a common practice for scammers to buy up domains which are common misspellings of major domains.

> So people started using independent DNS servers, such as google, which seems to be the most popular. Effort involved: a quick setting on the computer.   I have close to zero trust in google, but rate them as less sleazy than the average ISP--especially for DNS, which gives them limited data compared to packet streams.

Exactly. DNS traffic monitoring only gives them information about which bits of the backbone are most heavily used at any one time. They could, in theory, sell this information to whoever manages the backbone, but those folks probably collect their own data.

> But, google.  They don't seem to ever delete anything (in a few cases, not even when ordered to by a court).

True, but in the case of DNS, I really don’t care that someone knows that an IP address that DHCP assigned to me a year ago looked up the IP address of some.pornsite, especially since Google isn’t going to find out that the IP address temporarily belonged to me a year ago.

> Cloudflare has upped the game with DoH and the audit.  Cloudflare certainly isn't perfect, but it's clear how they make most of their money, and it isn't from data harvesting or monopolistic practices.

Yes. They have everything to lose and nothing to gain by misusing what little information they can gain from DNS lookups.

> Currently the Tunnelbear VPN which I use from time to time is using google DNS.  I hope they'll switch to Cloudflare soon.  (Tunnelbear is one of the few VPNs that has had an independent security audit: …

I can’t justify the cost and possible performance hit of a VPN at the moment. I do have friends in the UAE who have a different take. As always, YMMV.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____