10 comments

[ 4.4 ms ] story [ 35.8 ms ] thread
The title is a little confusing as DNS over HTTPS is the technology that comes to mind for DNS privacy. That hides the DNS queries in an HTTPS tunnel, which means fewer actors can see or spoof DNS results.

The QNAME minimisation technique described in the article is about showing only partial requests to intermediate authorities in the DNS hierarchy. DNS over HTTPS can protect the request until it gets to the resolver, and then the QNAME minimisation system can hide it from interested intermediate DNS authorities. I guess in practice this means the .com servers can't tell whether someone is going to xxx.substack.com or yyy.substack.com just that they're asking about substack.

As the article points out, most users ask a shared DNS resolver to perform resolution for them, and if you want to, the Cloudflare public resolver 1.1.1.1 uses this technique.

Bandwidth is pretty cheap. You could fetch the most common million host names every 24h.

For longer tail stuff, you could use buckets. Cluster domains so only a few or ideally a single buckets need to be fetched. But make sure every bucket has multiple clusters.

"Give me the recipes and porn bucket please"

If you have a trusted source for a million host names, you have a trusted source for one hostname. So why would you have to download a million upfront and not just the one you need?
it's not about trust but "hiding in a group of queries"
Because there's a big difference between asking for the address of a Mall vs. Asking for the address of the sex toy shop in the mall openly. Or the gun store. Or the space the labor Union rented out in the building for a meeting.

Given that the Internet wasn't made with the concept of nosy people as a adversary or threat, many adversaries have flocked to using the metadata as a gold mine instead of just ignoring it and passing it along. Which is half the reason it seems like we can't just have nice things.

> only one open DNS resolver — Hurricane Electric’s Open DNS service — has a 97% QNAME Minimisation ratio. The Open Resolver’s services that record ratios of between 50% and 70% raise a question as to what is happening here?

If this isn't a smoking gun I don't know what is.

HE is the only entity on that list with a non-0% ratio who is also a backbone carrier -- i.e. their own routers have no 0.0.0.0/0 route.

Obviously there is tampering going on here; no sane DNS software includes an "if (rand()) { do_qname_minimization_today(); }". And, obviously, the tampering is happening at the carrier level. And you can bet the answer starts with a "Century" and ends with "Link".

Your answer baffles me.

From the blog I get the impression Geoff is not "raise a question as to what is happening here" about HE's 97%, but more about all the others with >0% & <97%.

Would you care to enlighten us with what you are implying?

If I'm grokking correctly, the poster is asserting that there are ISP shenanigans going on due to the fact that measurements aren't coming in in a binary nature. Either you support QNAME minimization, or you don't. If you support it, but someone else in the recursive resolution chain doesn't, that would explain <100% measurements, since they pass on more info than they should be, and in theory there may be temporary reentrant loops due to poorly managed BGP, which results in unminimized DNS queries being visible to the measurer somehow.

The poster seems to think Century Link is involved in a fundamental way. Which admittedly, given their track record with hosing large swathes of the Internet these last couple years may not be unreasonable.

At least that was what I got out of it.

Yes, that's pretty much exactly what I was trying to say.
> ... Cloudflare’s 1.1.1.1 service, Quad9, and the OpenDNS service resolve their queries using QNAME Minimisation.

However, the "most popularly used" open resolver, Google's Public DNS, "does to not appear to support QNAME Minimisation".

Is anyone actually surprised by this, at all?