NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Securing DNS traffic

Am Sonntag, 24. Mai 2020, 20:02:45 CEST schrieb Aaron B.:
> I'm also worried about this, but also fear datamining by my ISP. So I
> completely ditched Google, and split my queries between Cloudflare and
> Quad9 - neither gets the complete picture.
This relys on a typical misunderstanding what most of these data collecting N 
services are after. "getting to know what websites / servers some single user  
connects to" usually not, because that would be very inefficient.

If you fear that your ISP "can do that" - DNS is the wrong vector to "block 
that", because he can much more easily use netflow, firewall / router "logging" 
and similiar efficient ways to see (and collect / process) with which servers a 
single customer (not user) really got connected and (each time!) when 
(without the huge "caching blindness" of DNS) and how often / how intensive 
(even with SSL/TLS - except SNI / "virtual hosts", but this often can be 
uncovered by "traffic correlation" if really required).

I would trust my (paid) ISPs NS much more then any other "free" one by all 
what i've seen in my life there - especially if your ISP grants you no usage 
logging by contract. And what i knew from Mozilla and Co., these are much 
less "selfless" too as their public image project it...

If your ISP really cheat you - he could/would do this (as explained) without 
his DNS (except in some countries where local ISPs filter third party DNS at 
all because of "regulation", what usually means censorship...).

 Niels Dettenbach
 Syndicat IT & Internet

Home | Main Index | Thread Index | Old Index