Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Though I'll admit readability suffers slightly... -- Larry Wall in <2969@jato.Jpl.Nasa.Gov>


computers / Security / Everyone's DNS requests logged in one easy place

SubjectAuthor
* Everyone's DNS requests logged in one easy placeAnonUser
`- Everyone's DNS requests logged in one easy placeanon

1
Everyone's DNS requests logged in one easy place

<8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=345&group=rocksolid.shared.security#345

 copy link   Newsgroups: rocksolid.shared.security
Path: rocksolid2!.POSTED.retrobbs!not-for-mail
From: anonuser@retrobbs.rocksolidbbs.com.remove-pnw-this (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Everyone's DNS requests logged in one easy place
Date: Tue, 14 Aug 2018 04:19:14 -0700
Organization: RetroBBS
Message-ID: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: novabbs.com; posting-host="retrobbs:10.128.3.129";
logging-data="14353"; mail-complaints-to="usenet@novabbs.com"
To: rocksolid.shared.security
X-Comment-To: rocksolid.shared.security
X-FTN-PID: Synchronet 3.17a-Linux Feb 20 2018 GCC 6.3.0
X-Gateway: retrobbs.rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.108]
 by: AnonUser - Tue, 14 Aug 2018 11:19 UTC

To: rocksolid.shared.security
From https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https

Mozilla to send all your browser DNS requests to Cloudflare

---------------
At Mozilla, we feel strongly that we have a responsibility to protect our
users and their data. We’ve been working on fixing these vulnerabilities.

We are introducing two new features to fix this — Trusted Recursive
Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three
threats here:

You could end up using an untrustworthy resolver that tracks your
requests, or tampers with responses from DNS servers.
On-path routers can track or tamper in the same way.
DNS servers can track your DNS requests.

the three threats—resolvers, on-path routers, and DNS servers

So how do we fix these?

Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
Protect against on-path eavesdropping and tampering using DNS over
HTTPS.
Transmit as little data as possible to protect users from
deanonymization.

Avoid untrustworthy resolvers by using Trusted Recursive Resolver

Networks can get away with providing untrustworthy resolvers that steal
your data or spoof DNS because very few users know the risks or how to
protect themselves.

Even for users who do know the risks, it’s hard for an individual user
to negotiate with their ISP or other entity to ensure that their DNS data
is handled responsibly.

However, we’ve spent time studying these risks… and we have
negotiating power. We worked hard to find a company to work with us to
protect users’ DNS data. And we found one: Cloudflare.

Cloudflare is providing a recursive resolution service with a pro-user
privacy policy. They have committed to throwing away all personally
identifiable data after 24 hours, and to never pass that data along to
third-parties. And there will be regular audits to ensure that data is
being cleared as expected.

With this, we have a resolver that we can trust to protect users’
privacy. This means Firefox can ignore the resolver that the network
provides and just go straight to Cloudflare. With this trusted resolver in
place, we don’t have to worry about rogue resolvers selling our users’
data or tricking our users with spoofed DNS.

Why are we picking one resolver? Cloudflare is as excited as we are about
building a privacy-first DNS service. They worked with us to build a DoH
resolution service that would serve our users well in a transparent way.
They’ve been very open to adding user protections to the service, so
we’re happy to be able to collaborate with them.

But this doesn’t mean you have to use Cloudflare. Users can configure
Firefox to use whichever DoH-supporting recursive resolver they want. As
more offerings crop up, we plan to make it easy to discover and switch to
them.
Protect against on-path eavesdropping and tampering using DNS over HTTPS

The resolver isn’t the only threat, though. On-path routers can track
and spoof DNS because they can see the contents of the DNS requests and
responses. But the Internet already has technology for ensuring that
on-path routers can’t eavesdrop like this. It’s the encryption that I
talked about before.

By using HTTPS to exchange the DNS packets, we ensure that no one can spy
on the DNS requests that our users are making.
Transmit as little data as possible to protect users from deanonymization

In addition to providing a trusted resolver which communicates using the
DoH protocol, Cloudflare is working with us to make this even more secure.

Normally, a resolver would send the whole domain name to each server—to
the Root DNS, the TLD name server, the second-level name server, etc. But
Cloudflare will be doing something different. It will only send the part
that is relevant to the DNS server it’s talking to at the moment. This
is called QNAME minimization.

image showing resolver only asking the relevant question

The resolver will also often include the first 24 bits of your IP address
in the request. This helps the DNS server know where you are and pick a
CDN closer to you. But this information can be used by DNS servers to link
different requests together.

Instead of doing this, Cloudflare will make the request from one of their
own IP addresses near the user. This provides geolocation without tying it
to a particular user. In addition to this, we’re looking into how we can
enable even better, very fine-grained load balancing in a
privacy-sensitive way.

Doing this — removing the irrelevant parts of the domain name and
not including your IP address — means that DNS servers have much
less data that they can collect about you.

------------------

"But this doesn’t mean you have to use Cloudflare. Users can configure
Firefox to use whichever DoH-supporting recursive resolver they want"

Does this mean that you can only use DoH supporting resolvers? Can you
configure to use your own resolver?

Chrome has been redirecting DNS requests to their own servers for quite a
while (they perform a test on your resolver and if it fails, they use
their own).

Why should we think Cloudflare is safe? It does bring a nice database of
DNS requests all in one place to be searched through. Not sure that's an
increase in security.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS

Re: Everyone's DNS requests logged in one easy place

<8f6d44560319c147d5f7e9f6f707c060@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=346&group=rocksolid.shared.security#346

 copy link   Newsgroups: rocksolid.shared.security
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.security
Message-ID: <8f6d44560319c147d5f7e9f6f707c060@def4.com>
Subject: Re: Everyone's DNS requests logged in one easy place
Date: Tue, 14 Aug 2018 19:07:14+0000
Organization: def4
In-Reply-To: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
References: <8ae239970d7503bad436f76427695b36$1@retrobbs.rocksolidbbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: anon - Tue, 14 Aug 2018 19:07 UTC

>Why should we think Cloudflare is safe?

Indeed. Arent those the people pestering tor users with js captchas ?

Posted on def4.i2p

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor