← Back to context

Comment by 8organicbits

19 hours ago

No man-in-the-middle is needed, DNS queries are often collected into large datasets which can be analyzed by threat hunters or attackers. Check out passive DNS https://www.spamhaus.com/resource-center/what-is-passive-dns...

You'd need to check the privacy policy of your DNS provider to know if they share the data with anyone else. I've commonly seen source IP address consider as PII, but not the content of the query. Cloudflare's DNS, for example, shares queries with APNIC for research purposes. https://developers.cloudflare.com/1.1.1.1/privacy/public-dns... Other providers share much more broadly.

6 comments

8organicbits

Reply
embedding-shape  19 hours ago

> No man-in-the-middle is needed [...] Check out passive DNS

How does one execute this "passive DNS" without quite literally being on the receiving end, or at least sitting in-between the sending and receiving end? You're quite literally describing what I'm saying, which makes it less of a "leak" and more like "others might collect your data, even your ISP", which I'd say would be accurate than "your DNS leaks".

  • 8organicbits  18 hours ago

    There's a lot of online documentation about passive DNS. Here's one example

    > Passive DNS is a historical database of how domains have resolved to IP addresses over time, collected from recursive DNS servers around the world. It has been an industry-standard tool for more than a decade.

    > Spamhaus’ Passive DNS cluster handles more than 200 million DNS records per hour and stores hundreds of billions of records per month, providing you with access to a vast lake of threat intelligence data.

    https://www.spamhaus.com/resource-center/what-is-passive-dns...

    • embedding-shape  18 hours ago

      > collected from recursive DNS servers around the world

      Yes, of course, because those DNS servers are literally receiving the queries, eg "receiving the data".

      Again, there is nothing "leaking" here, that's like saying you leak what HTTP path you're requesting to a server, when you're sending a HTTP request to that server. Of course, that's how the protocol works!

      2 replies →