IETF spikes government metadata collection with DNS request crypto plan DNS requests and responses – part of what many countries regard as “metadata” that they want collected for law enforcement – should be encrypted to protect users from surveillance. That's what's put forward in RFC 7858: that DNS requests should traverse transport layer security (TLS) links, so as to protect users' requests …
Even if elReg encrypted commentard posts, an attacker, upset at the comment could correlate DNS access times and post times to retrieve the posters IP address.
And in a future dystopian May-UK, they could then use that to examine the private internet logs of that person (time+IP), pull up their bulk surveillance set, examine their political views, track their location, identify their friends and family, and so on... all warrantless of course.
And in an even more dystopian, Neville, future, all that data would be stripped of any privacy right and sold to anyone prepared to pay.
So, yeh, IETF's view of DNS monitoring as an attack vector is likely a sensible viewpoint.
What makes you think this isn't happening now?
Yes, I've been attacked by a state (ab)using my DNS records - this particular phishing/virus attack zero-day etc contained data/meta-data about which sites I had been using that particular Sunday.
I was using OpenDNS and I'm no longer doing so.
It was a one-off technique of attack, it did feel like someone was looking over my shoulder whilst I used my computer. Many others attacks rely on a snapshot of my files & contacts from around 2007 when they presumably actually were last inside my home LAN, they tend to recycle attacks every few years & re-use contacts completely out of context This DNS-led attack was silly. . .
warrant?, I can't believe so
extensive illegal everything digital? - probably
they stopped sending me zero-days when I simply uploaded everything to virustotal, I don't think I'm worth spending that much on . . .
an attacker, upset at the comment could correlate DNS access times and post times to retrieve the posters IP address
No, I don't think so.
When we first come to these fora, the browser loads forums.theregister.co.uk, which will result in the first DNS lookup. That returns the appropriate record - in this case, a CNAME to the address of the www server, and potentially a couple of A records.
Eacjh of these records has a "time to live" value associated with it - for these fora, all the records currently seem to be set at 300 seconds (which is a bit short, but there you go). That means that your computer won't even try to look up those records again if you do something within 5 minutes; a visit to the fora is indistinguishable from a post to same if you're quick, and from an upvote/downvote if you're not.
On a sufficiently busy site, with a reasonable TTL, and reasons for interacting with the server (e.g. the voting buttons), correlating DNS lookups with posts is going to be incredibly error-prone. You might be able to find something over a *very* long period of analysis, but I wouldn't consider it realiable.
Vic.
Because it is?
Metadata and traffic analysis, and the building of contact webs from them, have been the data fetishists secret weapon for a long time. Hence the NSA's reaction to the publication of "The Hut Six Story."
If we want an internet that protects freedom and privacy we can no longer treat the intermediate nodes as friendly, nor accept the paths of packets will not be tracked not because any one person threatens the state, but simply because the state can.
Which is also half the definition of psychopathic behavior in humans.
+1 for DNSCrypt, but, it's only part of a solution.
DNS will typically go to your ISP (unless you force it otherwise), so the ISP can see what you (want to) resolve. Use Chrome and the traffic might go to Google. TLS encrypting that won't solve anything, and 99% of home users will just go with what they get.
Changing DNS provider might get around that, although your ISP may forcibly reroute your port 53 traffic, so they'll see it. TLS there (with cert pinning etc) would/could alert you to that.
DNSCrypt does allow you to use alternate providers with cert fingerprinting, along with the ability to use alternate ports than 53 - thereby encrypting DNS traffic and likely avoiding port redirection. Run your own server, add your own DNS resolver on it (DNSMasq anyone?) , shove DNSCrypt on the server as an upstream DNS, add a bit of jiggery pokery with a compliant router for your own DNS hijacking, and any LAN traffic requesting DNS gets shunted down your newly created secure DNS pipe. That's not likely to happen for home users easily! (although AdvancedTomato does allow exactly this...)
That said - once any resolution has happened, a machine still gets given an IP, which it presumably will then try to connect to. That would get logged. And reverse lookups can be performed. Those reverse lookups may be useless if the target machine doesn't have good A/CNAME records, or indeed if it's part of a virtual infrastructure hosting multiple logical servers - but a bit of host header inspection can also show up what is/was requested.
It's the last paragraph (resolved IP/DNS name, sometimes with host header) that groups like OpenDNS, and (indeed several UK ISPs) now use to provide "web filtering".
So, one good step, but several more need making :)
DNSCrypt is a good start but doesn't help if you use Google's DNS servers or (depending on your ISP) those of your ISP.
My home router is now set to use non-logging, strictly EU-based, DNS servers from the OpenNICProject. Unless a device or application is hardcoded to use its own DNS servers (Hello Chrome and Android!) all devices on my network now use an OpenNIC server because by default local devices use the local router as their DNS. The local router then forwards the request to my specified OpenNIC servers instead of my ISP's.
For the servers closest to you (for optimum speed): http://wiki.opennicproject.org/ClosestT2Servers
For a full list of servers with their particular details (logging, IPv6 or DNSCrypt support for instance): https://servers.opennicproject.org/
Bootnote: For those unfamiliar with DNS, the domain name system is the infrastructure that converts "www.theregister.co.uk" into the relevant IP address, so you don't need to memorise the 12-digit numbers to get to a website.
Yeah, thanks for that.
At least you didn't mention "Telephone Directory", as nobody knows what one of those is nowadays...
At least you didn't mention "Telephone Directory", as nobody knows what one of those is nowadays...
You're probably right. However, the telephone directory comparison is actually particularly accurate. Telephone companies make up their own directories and don't include listings from non-incumbents. This is currently the situation with DNS which typically only recognises ICANN listings - despite this being a somewhat political choice, rather than technical.
Amazing.
For most individuals, you have no control over your DNS server. This is all controlled by your ISP, who likely has already established secure methods of encryption among forwarders as well as using firewall technology like Infoblox to ensure it is safe from malicious attacks.
If you're a home user who has set up your own DNS server you have provided an excellent means for a malicious hacker to get into your network. It's unlikely you have it setup correctly and have the funds to use a technology to keep this port protected. DNS is a great way to move things back and forth from a victim machine, bypassing any SOHO firewall. Also your HIDS or antivirus won't detect a thing.
What's funny is how people freak whenever they suspect the government might use metadata, but click "OK" to every business and freak who wants to track them whenever they use an app or service.
Nor does anyone have a fit when this metadata is made available by all (including governments) when there is a breach.
Governments don't have to own DNS servers to get your metadata... you've been giving it to them for a very long time, along with Google, Amazon, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
