XMPP is not e2ee, the second server gets your JID (but not your IP, supposing your client doesn't leak it): you need to trust the servers (1, 2 and the resolver).
Also; you don't get virtual circuits, but the performance should be superior. Tor only supports A, AAAA and PTR; DoX supports every record type.
You can connect to XMPP servers over tor, even host them on .onion addresses.
Also, XMPP has e2e extensions, at least one of which supports encrypting/verifying arbitrary XML[1], so if the resolver supported it, you could only trust the resolver. (also don't forget about DNSSEC which can be used to verify DNS responses too)
Agreed, the best case is when you have e2ee (which unfortunately is not in core) and DNSSEC.
I must admit to being biased against using DNSSEC alone because a malicious XMPP server can still inspect and/or modify queries and responses. By self-hosting you mitigate, but without e2ee the server is still trusted (in the threat-model).
You trust whatever server you query. That might be server one, or it might be server one and server two. It's a federated network, so you make requests through your own server.
> And will XMPP server 2 have my IP address?
No. It's a federated network, like email, so it just gets your XMPP address (historically referred to as a "Jabber ID" or "JID").
There's an awful lot of "why not?" here. Remember, this is an Experimental XEP. The XMPP Council saw no reason to actively block it, but that doesn't mean we're all mad keen that everyone should rush out and do it.
There was an intense debate on whether it ought to be published as Standards Track or Humorous...
I'm sure there are valid reasons, but I also think there's a law that no matter how comprehensive your application protocol, it will eventually get turned into a transport for a higher-level (sometimes shoddier) application protocol.
Yah, naming a DNS protocol DOX and then releasing it on the worst day of the year on the internet might not have been a great idea… I suppose we should have seen this coming :)
Purely curious, what advantages does this give you in a corporate sort of scenario where your login is probably authing against Active Directory? Does this protocol offer any leverage for developers in a multi-forest setup via API to programmatically choose domain controllers?
24 comments
[ 3.2 ms ] story [ 42.3 ms ] thread1. performance: since the TCP+TLS handshake is only performed once and the connection is kept open forever
2. privacy: the resolver doesn't get the requesting party's IP address
How does that work? Is it somewhat like Tor?
[Requesting Party]<--->[XMPP server]<--->[XMPP Server]<--->[Resolver]
And will XMPP server 2 have my IP address?
Also; you don't get virtual circuits, but the performance should be superior. Tor only supports A, AAAA and PTR; DoX supports every record type.
Also, XMPP has e2e extensions, at least one of which supports encrypting/verifying arbitrary XML[1], so if the resolver supported it, you could only trust the resolver. (also don't forget about DNSSEC which can be used to verify DNS responses too)
[1]: https://xmpp.org/extensions/xep-0373.html
I must admit to being biased against using DNSSEC alone because a malicious XMPP server can still inspect and/or modify queries and responses. By self-hosting you mitigate, but without e2ee the server is still trusted (in the threat-model).
You trust whatever server you query. That might be server one, or it might be server one and server two. It's a federated network, so you make requests through your own server.
> And will XMPP server 2 have my IP address?
No. It's a federated network, like email, so it just gets your XMPP address (historically referred to as a "Jabber ID" or "JID").
There was an intense debate on whether it ought to be published as Standards Track or Humorous...
https://github.com/wiktor-k/prosody-dox
https://github.com/moparisthebest/jDnsProxy
It's just as humorous as DoT or DoH.
* the name of the protocol: DoX
* the name of the request: IQ-get
* lastly, the current date
edit: OK, this might not be a joke after all, but it sure has a few hints in there.
IQ is the usual abbreviation for info/query elements in XMPP ...
DoH is DNS-over-HTTP
DoT is DNS-over-TLS
Have you read it completely?
>Version 0.0.1 (2019-03-11)
It seems DoX would fit in there perfectly!