← Back to context

Comment by zzzcpan

7 years ago

So, what he claims is that state actors monitor traffic at certain locations, extract subnet information from DNS packets that only large centralized DNS resolvers include when query some authoritative servers that where probed to support that feature. That subnet is not a subnet of an end user IP address, but an IP address of a recursive resolver of that user's ISP. They have to correlate that information with a connection made from that ISP to a web server to track the user. What 1.1.1.1 brings here? State actors now can correlate an actual IP address sending data to 1.1.1.1, with a clear text DNS query going out of it, making tracking more reliable and simple and worse for privacy. And still worse for other CDNs.

Don't take Cloudflare's PR seriously, they are completely full of it. They used to be more honest, but those days are long gone.

6 comments

zzzcpan

Reply
MrStonedOne  7 years ago

1.1.1.1 supports dns/https. It is entirely possible to make a request to 1.1.1.1 for an ip and have nobody be able to know what you made the request for.

There is no guarantee the name server they are querying is the same as the server in the A result, and the idea is to reduce the number of points where people other than the A result and the client know that they plan to talk to each other.

It's not bullshit.

  • zzzcpan  7 years ago

    > There is no guarantee the name server they are querying is the same as the server in the A result

    That's ok. Let me try to explain a bit more:

    Queries to 1.1.1.1 are going over public internet. And even though they are encrypted, they also carry metadata with them, including IP addresses of who is doing them, precise time, rough size, various OS specific stuff, etc. And packets going out to authoritative servers from 1.1.1.1 are in clear text. There is a very tiny window of possible queries out of 1.1.1.1 for encrypted data coming in from some IP address and therefore only a tiny number of possible responses from authoritative servers. Given that and enough intercepted data all over the world it is easy to correlate clear text DNS responses with IP addresses or who got responses from cache and on which popular website ended up, etc.

    • Aeolun  7 years ago

      Not quite as easy as when you just have to intercept traffic at one of the intermediate nodes though, it seems.

      I think that makes the privacy argument a fairly valid thing.

      2 replies →