12 comments

[ 6.7 ms ] story [ 39.2 ms ] thread
best quote in the piece:

It's too early to make guesses about the success of this effort at the IETF, but Paul Vixie, well known as the original author of the BIND DNS software and no less for his strong opinions, set the tone in a message to the IETF DNSEXT mailing list. "if we're going to add client identity to the query, can we do so in a more general way? i'd like to know lat-long, country, isp, language, and adult/child."

Shame he didn't work an "a/s/l" joke in there.
Reading the comment, I think he did.
My IP can track me to within the city I live in, I think it does 100 times better than any A/S/L answer ever did.
Is there really any privacy preserved by concealing the IP of a DNS query? The next thing you are going to do is contact the resulting host (probably controlled by the same people as the DNS server) with your IP in the sender IP field.

I suppose one could imagine a situation where a user is using some sort of anonymizer for their HTTP traffic, but not their DNS. DNS anonymizers are trival. Just don't implement this feature, or I suspect your client resolver code could prefill the RR with a bogus entry.

I've run my own DNS servers for years with the side effect that the authoritative DNS servers and their slaves get to see my IP when I query. They sky has not fallen.

I thought recursive resolvers are geographically local enough for caching web services. I checked mine and it seems to be 4 hops away, 2 beyond our network perimeter.

\24 is very intrusive and what about those who are behind ISP NATs. \24 may not be as useful to Google.

For most people they are but you'd be surprised at how many basly-placed or -configured resolvers there are out there.

Consider a nationwide ISP with resolvers on East coast and West coast. For "failover" they assign them in random order to customers. That means 50% of the time a customer of the ISP in Tampa will appear to be coming from a resolver in San Jose.

Vixie will not like this, for sure. Another way to do this is to use your HTTP and DNS logs to "triangulate" seen user IPs with seen resolver IPs. It's surprising how many DNS resolvers are ill-placed with regards to their clients.
Common view for CDNs. Identifying client locations by DNS resolver is really inaccurate.
DNS purist will not like this. For many reasons ( other than CDNs, for e.g SIP) source-based DNS routing seem to be needed now.
I've heard stories about "unofficial arrangements" that some CDNs are purported to use in order to see client addresses. No idea if it's true though.