[kwlug-disc] CCC talk about DNS(ystem)
Mikalai Birukou
mb at 3nsoft.com
Wed Apr 8 20:49:17 EDT 2020
> CIRA does not have the technical resources of CloudFlare for dealing
> with DOS attacks. The privacy guarantees that they offer, such as they
> are, are based on not having to trust global internet giants like
> Google and CloudFlare. You just need to trust CIRA, which is a small
> Canadian nonprofit. It is clear that they are running their own DNS
> servers in Ottawa, and the service is intended for Canadians. They
> maintain IP addresses in a log for 24 hours so that they can analyze
> traffic and deal with abuse. Since it is a Canada only service, I
> assume that if they detect a DOS attack they would have no problem
> with blacklisting blocks of non-Canadian IP addresses.
>
> In this context, offering the service over TOR makes no sense. How
> would they protect themselves from DOS without knowing the origin IP
> address?
- If too much traffic comes from tor proxy server, just throttle that
channel.
- One doesn't get points for not even trying to put up a simple tor
proxy, as it is simple to do. Put it up first, then complain *if* floods
come from onion network.
- Let's also note that it is usual DNS over UDP that has an
amplification attack that is worrisome. DNS over HTTP doesn't have such
effect.
- This February, at UofW's privacy event Ian's group showed that they
are working on a little tweak to onion's protocol that may help to note
and handle DoS accordingly.
> If you trust CloudFlare more than CIRA, then obviously use CloudFlare.
Actually, I'd love to have two DoH services. And I would probably put
CIRA's first :) .
> By the way, what do you use for trusted DNS in your home setup?
Absolutely nothing. May be, as a result, I am getting from time to time
redirects on http pages to something "you'll win this with Teksavvy". Is
it related, or is it infection of http servers/traffic?
> How do you get trusted and private DNS service if you trust nobody
> outside of your immediate social group?
Plurality of sources is a good thing. CIRA has one view on name records,
CloudFlair has another view, ... . Compare answers, cause you don't know
which of the systems can be hacked at any given time, right? Hacked as
in hackers, hacked as in five eyes, hacked as in protestors being
labeled "domestic t...ists".
I truely believe that CIRA guys want to do the best. And the best
prescription is not to have data at all on servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200408/e13d6f3c/attachment.htm>
More information about the kwlug-disc
mailing list