It's too early to make guesses about the success of this effort at the IETF, but Paul Vixie, well known as the original author of the BIND DNS software and no less for his strong opinions, set the tone in a message to the IETF DNSEXT mailing list. "if we're going to add client identity to the query, can we do so in a more general way? i'd like to know lat-long, country, isp, language, and adult/child."
Is there really any privacy preserved by concealing the IP of a DNS query? The next thing you are going to do is contact the resulting host (probably controlled by the same people as the DNS server) with your IP in the sender IP field.
I suppose one could imagine a situation where a user is using some sort of anonymizer for their HTTP traffic, but not their DNS. DNS anonymizers are trival. Just don't implement this feature, or I suspect your client resolver code could prefill the RR with a bogus entry.
I've run my own DNS servers for years with the side effect that the authoritative DNS servers and their slaves get to see my IP when I query. They sky has not fallen.
I thought recursive resolvers are geographically local enough for caching web services. I checked mine and it seems to be 4 hops away, 2 beyond our network perimeter.
\24 is very intrusive and what about those who are behind ISP NATs. \24 may not be as useful to Google.
For most people they are but you'd be surprised at how many basly-placed or -configured resolvers there are out there.
Consider a nationwide ISP with resolvers on East coast and West coast. For "failover" they assign them in random order to customers. That means 50% of the time a customer of the ISP in Tampa will appear to be coming from a resolver in San Jose.
Vixie will not like this, for sure. Another way to do this is to use your HTTP and DNS logs to "triangulate" seen user IPs with seen resolver IPs. It's surprising how many DNS resolvers are ill-placed with regards to their clients.
12 comments
[ 6.7 ms ] story [ 39.2 ms ] threadIt's too early to make guesses about the success of this effort at the IETF, but Paul Vixie, well known as the original author of the BIND DNS software and no less for his strong opinions, set the tone in a message to the IETF DNSEXT mailing list. "if we're going to add client identity to the query, can we do so in a more general way? i'd like to know lat-long, country, isp, language, and adult/child."
I suppose one could imagine a situation where a user is using some sort of anonymizer for their HTTP traffic, but not their DNS. DNS anonymizers are trival. Just don't implement this feature, or I suspect your client resolver code could prefill the RR with a bogus entry.
I've run my own DNS servers for years with the side effect that the authoritative DNS servers and their slaves get to see my IP when I query. They sky has not fallen.
Incorrect assumption. DNS pre-fetching. See: https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunder...
\24 is very intrusive and what about those who are behind ISP NATs. \24 may not be as useful to Google.
Consider a nationwide ISP with resolvers on East coast and West coast. For "failover" they assign them in random order to customers. That means 50% of the time a customer of the ISP in Tampa will appear to be coming from a resolver in San Jose.