[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

* Robert Edmonds:

> The entire DNS root zone is only 1 MB compressed and is updated about
> once a day. It would be even better for privacy if the whole root zone
> were distributed via HTTPS, as the initiator would not reveal to the
> server any information about what TLD is being looked up.
>
> There are currently ~1500 TLDs in the root zone. Dividing 1 MB by the
> number of TLDs, this is ~700 bytes per TLD, which is roughly the amount
> of bandwidth required by a query/response pair of UDP DNS packets to
> obtain the delegation for a TLD.

Or you can turn on query minimization and NSEC-based NXDOMAIN
synthesis, at which point there is hardly any privacy leak left.

The challenge with the root zone is that anyone can become a de-facto
root server operator for their own part of the Internet (at least with
physical control over machines), by inviting some of the established
operators to host an anycast node on their network.  It's very
difficult to guarantee privacy in such a widely distributed system.
Reply to: