From 8f3b8cf44307f59663cd21b56235cde874a398d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 9 May 2024 11:35:08 +0200 Subject: [PATCH] chg: [privacy] simplified as at the end the risk is mainly to find out who did the query --- i-d/pdns-qof.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i-d/pdns-qof.xml b/i-d/pdns-qof.xml index ed9e80f..62dc23d 100644 --- a/i-d/pdns-qof.xml +++ b/i-d/pdns-qof.xml @@ -297,7 +297,7 @@ ws = *(
- Passive DNS Servers capture DNS answers from multiple collection points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query [is the "person" querying the DNS records not the same as the "who" actually sent the query?]. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are. + Passive DNS Servers capture DNS answers from multiple collection points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are. Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent starting point for this. Finally, the overall recommendations in RFC6973 should be taken into consideration when designing any application which uses Passive DNS data.