Sorry about that, I'll look into it in a bit.
Hi, I answered it in another comment below.
This is not the privacy concern, check out the https://tools.ietf.org/html/rfc7871#section-11.1 discussing it. Yes, if you open a connection to the target IP, then all transit networks between client and the target IP…
Disclaimer: I work on 1.1.1.1. You might not consider your /24 as personally identifying, but others might. The original RFC discusses these problems fairly well (https://tools.ietf.org/html/rfc7871, Privacy notice and…
That's good, I missed that. Thanks for highlighting the project, I'll keep an eye on it!
This is interesting as a lighter alternative to DNS over Tor. Where is the padding going to be? Basic clients won't add EDNS padding by default, but intuitively there has to be padding somewhere. It reminds me of…
From operational perspective, it may be easier to maintain a certificate (after all, that's what you already do for an HTTPS service) than a DNSSEC signed zone. It is also easier if you have a multiple DNS providers,…
I wrote a not very well known LuaJIT to BPF compiler as a part of bcc precisely because of this. It doesn't depend on anything besides LuaJIT (no LLVM, no C, no libbpf, etc). Caveats: it's Lua, it doesn't fast track all…
HTTPS gives you clear upgrade path to QUIC and handshake costs of TLS 1.2-3 as well. This is the very goal of this study - to determine how feasible is it in the real world and what's the performance impact.
Cloudflare publishes transparency reports https://www.cloudflare.com/transparency/ It also promises not to store your IP associated with the DNS requests https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...…
DPRIVE maintains a list with current implementation status https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implement... (you're looking for TLS encryption + OOOR + pipelining)
DNSSEC is orthogonal to this. Its goal is to prove integrity of records between authoritatives and the closest validator. The validator is most often the resolver doing the recursion, not the client. The client can…
It's worth mentioning that encrypted DNS is not just about privacy, but also integrity. It's more difficult to intercept or spoof in hostile networks. ISP can still see the target IP address and SNI. The IP address is…
This is a great comment. The ping time is so much less meaningful for recursive service than for authoritative. The latency difference between cached answer and uncached answer is in several orders of magnitude. The…
4.2.2.x (Level3) is one of those resolvers hijacking negative answers and redirecting your to their "search pages".
I ran a full recursor on my laptop for about two years. It's not a great choice, especially if you're not stationary. A lot as a lot of environments intercept DNS and poison your cache, the answers for lb'd names also…
QNAME minimization just minimizes the name to one label under a delegation, there's no randomization. So root zone would only get 'com.' (and type NS). It's unfortunately easy for authoritative servers (below TLD level)…
As it should fail in any validating resolver. The CNAME signature recently expired: http://dnsviz.net/d/www.immigration.govt.nz/dnssec/
Yes, there's a cap on both negative and positive cache lifetime. The reason is reducing the blast radius as accidents happen, and it hurts especially on long infrastructure records (mistake during repointing NSs, bad…
There's a public list of IP ranges on the website: https://www.cloudflare.com/ips/ There's troubleshooting utilities in the CHAOS class, e.g. dig @1.1.1.1 id.server ch txt
It wasn't mentioned in the article, but I've recently merged LuaJIT to BPF compiler. So you just write Lua and the kernel bits get compiled into BPF bytecode and loaded. No C. See…
That is consented filtering and that's fine. I do the same thing locally and I'm okay with a public network operator refusing to serve certain zones (nudity, malware, illegal content). Refusing to lookup a name !=…
I reckon that depends on where you are. I don't have any hard data on this, just a lifetime of disappointment with hotel wifis. It's not the captive portal on first use what irks me, but continued DNS intercepting after…
Yes you're right, I just hoped that this may be a useful mnemonic (admittedly maybe a confusing one, but worked for me) for people starting with Lua. A simplification. How the index with negative offset is computed is…
Sorry about that, I'll look into it in a bit.
Hi, I answered it in another comment below.
This is not the privacy concern, check out the https://tools.ietf.org/html/rfc7871#section-11.1 discussing it. Yes, if you open a connection to the target IP, then all transit networks between client and the target IP…
Disclaimer: I work on 1.1.1.1. You might not consider your /24 as personally identifying, but others might. The original RFC discusses these problems fairly well (https://tools.ietf.org/html/rfc7871, Privacy notice and…
That's good, I missed that. Thanks for highlighting the project, I'll keep an eye on it!
This is interesting as a lighter alternative to DNS over Tor. Where is the padding going to be? Basic clients won't add EDNS padding by default, but intuitively there has to be padding somewhere. It reminds me of…
From operational perspective, it may be easier to maintain a certificate (after all, that's what you already do for an HTTPS service) than a DNSSEC signed zone. It is also easier if you have a multiple DNS providers,…
I wrote a not very well known LuaJIT to BPF compiler as a part of bcc precisely because of this. It doesn't depend on anything besides LuaJIT (no LLVM, no C, no libbpf, etc). Caveats: it's Lua, it doesn't fast track all…
HTTPS gives you clear upgrade path to QUIC and handshake costs of TLS 1.2-3 as well. This is the very goal of this study - to determine how feasible is it in the real world and what's the performance impact.
Cloudflare publishes transparency reports https://www.cloudflare.com/transparency/ It also promises not to store your IP associated with the DNS requests https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...…
DPRIVE maintains a list with current implementation status https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implement... (you're looking for TLS encryption + OOOR + pipelining)
DNSSEC is orthogonal to this. Its goal is to prove integrity of records between authoritatives and the closest validator. The validator is most often the resolver doing the recursion, not the client. The client can…
It's worth mentioning that encrypted DNS is not just about privacy, but also integrity. It's more difficult to intercept or spoof in hostile networks. ISP can still see the target IP address and SNI. The IP address is…
This is a great comment. The ping time is so much less meaningful for recursive service than for authoritative. The latency difference between cached answer and uncached answer is in several orders of magnitude. The…
4.2.2.x (Level3) is one of those resolvers hijacking negative answers and redirecting your to their "search pages".
I ran a full recursor on my laptop for about two years. It's not a great choice, especially if you're not stationary. A lot as a lot of environments intercept DNS and poison your cache, the answers for lb'd names also…
QNAME minimization just minimizes the name to one label under a delegation, there's no randomization. So root zone would only get 'com.' (and type NS). It's unfortunately easy for authoritative servers (below TLD level)…
As it should fail in any validating resolver. The CNAME signature recently expired: http://dnsviz.net/d/www.immigration.govt.nz/dnssec/
Yes, there's a cap on both negative and positive cache lifetime. The reason is reducing the blast radius as accidents happen, and it hurts especially on long infrastructure records (mistake during repointing NSs, bad…
There's a public list of IP ranges on the website: https://www.cloudflare.com/ips/ There's troubleshooting utilities in the CHAOS class, e.g. dig @1.1.1.1 id.server ch txt
It wasn't mentioned in the article, but I've recently merged LuaJIT to BPF compiler. So you just write Lua and the kernel bits get compiled into BPF bytecode and loaded. No C. See…
That is consented filtering and that's fine. I do the same thing locally and I'm okay with a public network operator refusing to serve certain zones (nudity, malware, illegal content). Refusing to lookup a name !=…
I reckon that depends on where you are. I don't have any hard data on this, just a lifetime of disappointment with hotel wifis. It's not the captive portal on first use what irks me, but continued DNS intercepting after…
Yes you're right, I just hoped that this may be a useful mnemonic (admittedly maybe a confusing one, but worked for me) for people starting with Lua. A simplification. How the index with negative offset is computed is…