Comment by Aeolun
7 years ago
Not quite as easy as when you just have to intercept traffic at one of the intermediate nodes though, it seems.
I think that makes the privacy argument a fairly valid thing.
7 years ago
Not quite as easy as when you just have to intercept traffic at one of the intermediate nodes though, it seems.
I think that makes the privacy argument a fairly valid thing.
You seem to misunderstand it. There are less points to intercept traffic at with 1.1.1.1, than without it. Much more feasible to spy on a massive scale, much less privacy and usefulness of client subnet EDNS option completely disappears. In 1.1.1.1 case it's literally irrelevant for privacy whether they do it or not. 1.1.1.1 already hurts privacy massively and not passing client subnet only hurts competing CDNs.
This is no longer a factual discussion. You mention two separate issues:
1. Use of EDNS client subnet information harms user privacy, by providing information that would not otherwise be there.
2. Many users on a single global DNS provider lowers the amount of points that needs to be attacked to obtain DNS information.
However, you position your statement as if #2 somehow render #1 moot, which is an entirely subjective evaluation from the perspective of a user, and also not at all relevant to the discussion of #1, as that on its own is not 1.1.1.1 specific.
For an example of why this is very subjective, the user may believe that the security of ISP DNS servers is likely not trustable, and that infiltrating countless ISP DNS services would likely be much less work than infiltrating one of the larger providers, such as 1.1.1.1, with better security practices.
The only things relevant to this discussion is whether or not it is sensible to respond with bogus data to a valid request that does not contain optional fields, and separately whether or not it is sensible for a DNS provider to not contain these fields.