nanog mailing list archives
Re: Yet another Quadruple DNS?
From: Royce Williams <royce () techsolvency com>
Date: Fri, 30 Mar 2018 06:39:41 -0800
On Fri, Mar 30, 2018 at 5:30 AM, Christopher Morrow <morrowc.lists () gmail com> wrote:
On Thu, Mar 29, 2018 at 10:32 AM, Stephane Bortzmeyer <bortzmeyer () nic fr> wrote:Public DNS resolvers still help against "ordinary" adversaries. (If your ennemy is the NSA, you have other problems, anyway.)
If you're individually targeted by such an org, yes. If you want to raise the cost of slurping up everyone's traffic in bulk and then sifting/analytic-ing through it later, then some effort (encrypting/verifying everything feasible, using ciphers that support forward secrecy, MFA, etc.) is worthwhile. Bulk encryption is a reasonable response to bulk intercept. Raising the chances of *detecting* attempts at such interception is also warranted. I'm not aware of any browser extensions that incorporate the technique used by https://mitm.watch/ (or even if it's feasible at that layer), but that would be useful, too.
I think there's ample evidence that everyone's enemy is 'the nsa' (or other nation-state-actors) isn't there?
s/"nation-state"/"anyone who can intercept, alter, or inject traffic between you and your destination"/g. Of course, that neither solves the problem of manipulative use of your traffic *by* your destination (*cough*Facebook/everyone*cough*) nor the problem of compromise of the endpoint. Increasing intercept resistance does nothing for the former (only voting, or voting with your dollar, can impact that) ... but it can help with the latter (by making it harder for someone to compromise your endpoint by manipulating/mimicking traffic from your destination). (None of this is news to most of you, but IMO clarifying the breadth of the landscape has value). And of course, none of this is news to Stephane: https://tools.ietf.org/html/rfc7816 :) Royce
Current thread:
- Re: Yet another Quadruple DNS?, (continued)
- Re: Yet another Quadruple DNS? Michael Crapse (Mar 29)
- Re: Yet another Quadruple DNS? Alan Buxey (Mar 29)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)
- Re: Yet another Quadruple DNS? Jimmy Hess (Mar 29)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 29)
- Re: Yet another Quadruple DNS? Baldur Norddahl (Mar 29)
- Re: Yet another Quadruple DNS? Ken Chase (Mar 29)
- Re: Yet another Quadruple DNS? Stephen Satchell (Mar 29)
- Re: Yet another Quadruple DNS? joel jaeggli (Mar 29)
- Re: Yet another Quadruple DNS? Christopher Morrow (Mar 30)
- Re: Yet another Quadruple DNS? Royce Williams (Mar 30)
- Re: Yet another Quadruple DNS? Royce Williams (Mar 30)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)
- Re: Yet another Quadruple DNS? William Waites (Mar 30)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)
- Re: Yet another Quadruple DNS? Feldman, Mark (Mar 30)
- Re: Yet another Quadruple DNS? Ken Chase (Mar 30)
- Re: Yet another Quadruple DNS? valdis . kletnieks (Mar 30)
- Re: Yet another Quadruple DNS? Jay Nugent (Mar 30)
- Re: Yet another Quadruple DNS? Ken Chase (Mar 30)
- Re: Yet another Quadruple DNS? Christopher Morrow (Mar 30)