The DNS is usually a comparatively open protocol that smears its information (which is your information and mine also!) far and wide. Little wonder the DNS is used in many ways, not only as a name resolution protocol that is routine, but as a data channel for surveillance and as a standard means of executing various types of content access control. But all this is poised to shift. Now that we have been sensitized by the Snowden files to the degree of such actions, we’ve become intensely conscious that many of our tools are simply way way too chatty, too trusting, and subverted. First and foremost in this group of tools that are exposed is the Domain Name System.
Queries are a forerunner to virtually every Internet transaction. Getting a log of the DNS queries I make is maybe the equivalent when it comes to information content to getting the log of called numbers from an earlier generation of a phone. It is not only national security bodies that have this kind of interest. We see many systems that construct an all-inclusive profile of their demands and want, and target the individual user. The difference between a timely helpful proposition and an annoying ad is simply info about the user, and such profiles are assembled by many firms as part of their own commercial activities.
The DNS is very chatty. As an example, to work out a fresh name, like www.example.com, a DNS resolver would first request the root name servers for the IP address of www.example.com. The root name servers wouldn’t have the capacity to supply the response, but they’ll reply with the authoritative name servers for the .com domain name. Now the resolver can duplicate precisely the same query to a server that’s important for the example.com domain name and likely get a response which has the address of www.example.com. But let us think about such queries for a second. I don’t have any idea if these logs are public or private. I don’t have any idea how they get what inferences are drawn from this data, and assessed.
It is not impossible it’s not a little better than this, including a browser, as the program I’m using usually will not perform DNS name resolution itself. There’s the chance for the operating system platform to additionally log this query. A standalone DNS resolver typically doesn’t work, and frequently is configured by the local network supplier with DNS resolvers to use. So my service provider is, in addition, privy to all my DNS action. Its queries might be farmed out by my service provider to a forwarder that is recursive, so that it can prevent the overheads of running a DNS resolver that is complete. As such forwarded queries don’t have any of my identifying details usually such types of query indirection mean a loss of attribution.
The Rumors are True (http://www.xkcd.com/1361/)All of these DNS queries can symbolize lots of info even in these days of info strength. It can simply be bigger now.
Is the DNS a chatty protocol that sprays outside info about user behaviors, it does so in a way that is completely open. DNS queries and their answers are unencrypted, and are sitting on port 53 in TCP and UDP. DNS queries are easily intercepted, and, bogus responses can be added back if DNSSEC isn’t used and the client is none the wiser. In some states DNS substitution is apparently comparatively trivial. Other states obstructing in response to issues related to overloading IP addresses with virtual web hosting and have turned to DNS interception.
So introduce facets of solitude into the DNS and what’s happening to improve this situation.