idnits 2.17.1
draft-ietf-dprive-problem-statement-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** The abstract seems to contain references ([RFC6973]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (January 7, 2015) is 3397 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 625
== Unused Reference: 'RFC2119' is defined on line 495, but no explicit
reference was found in the text
== Outdated reference: A later version (-02) exists of
draft-hallambaker-dnse-01
== Outdated reference: A later version (-02) exists of
draft-hoffman-dns-terminology-00
Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 DNS PRIVate Exchange (dprive) Working Group S. Bortzmeyer
3 Internet-Draft AFNIC
4 Intended status: Informational January 7, 2015
5 Expires: July 11, 2015
7 DNS privacy considerations
8 draft-ietf-dprive-problem-statement-01
10 Abstract
12 This document describes the privacy issues associated with the use of
13 the DNS by Internet users. It is intended to be mostly an analysis
14 of the present situation, in the spirit of section 8 of [RFC6973] and
15 it does not prescribe solutions.
17 Discussions of the document should take place on the DPRIVE working
18 group mailing list [dprive].
20 Status of This Memo
22 This Internet-Draft is submitted in full conformance with the
23 provisions of BCP 78 and BCP 79.
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF). Note that other groups may also distribute
27 working documents as Internet-Drafts. The list of current Internet-
28 Drafts is at http://datatracker.ietf.org/drafts/current/.
30 Internet-Drafts are draft documents valid for a maximum of six months
31 and may be updated, replaced, or obsoleted by other documents at any
32 time. It is inappropriate to use Internet-Drafts as reference
33 material or to cite them other than as "work in progress."
35 This Internet-Draft will expire on July 11, 2015.
37 Copyright Notice
39 Copyright (c) 2015 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
52 Table of Contents
54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
55 2. Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
56 2.1. The alleged public nature of DNS data . . . . . . . . . . 4
57 2.2. Data in the DNS request . . . . . . . . . . . . . . . . . 5
58 2.3. Cache snooping . . . . . . . . . . . . . . . . . . . . . 6
59 2.4. On the wire . . . . . . . . . . . . . . . . . . . . . . . 6
60 2.5. In the servers . . . . . . . . . . . . . . . . . . . . . 7
61 2.5.1. In the recursive resolvers . . . . . . . . . . . . . 8
62 2.5.2. In the authoritative name servers . . . . . . . . . . 8
63 2.5.3. Rogue servers . . . . . . . . . . . . . . . . . . . . 9
64 3. Actual "attacks" . . . . . . . . . . . . . . . . . . . . . . 10
65 4. Legalities . . . . . . . . . . . . . . . . . . . . . . . . . 10
66 5. Security considerations . . . . . . . . . . . . . . . . . . . 10
67 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
69 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
70 7.2. Informative References . . . . . . . . . . . . . . . . . 11
71 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 14
72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
74 1. Introduction
76 The Domain Name System is specified in [RFC1034] and [RFC1035]. It
77 is one of the most important infrastructure components of the
78 Internet and one of the most often ignored or misunderstood. Almost
79 every activity on the Internet starts with a DNS query (and often
80 several). Its use has many privacy implications and we try to give
81 here a comprehensive and accurate list.
83 Let us begin with a simplified reminder of how the DNS works.
84 (REMOVE BEFORE PUBLICATION: We hope that the document
85 [I-D.hoffman-dns-terminology] will be published as a RFC so most of
86 this section could be replaced by a reference to it.) A client, the
87 stub resolver, issues a DNS query to a server, the recursive resolver
88 (also called caching resolver or full resolver or simply resolver
89 recursive name server). Let's use the query "What are the AAAA
90 records for www.example.com?" as an example. AAAA is the qtype
91 (Query type), and www.example.com is the qname (Query Name). The
92 recursive resolver will first query the root nameservers. In most
93 cases, the root nameservers will send a referral. In this example,
94 the referral will be to .com nameservers. The resolver repeats the
95 query to one of the .com nameservers. The .com nameserver, in turn,
96 will refer to the example.com nameservers. The example.com
97 nameserver will then return the answer. The root name servers, the
98 name servers of .com and those of example.com are called
99 authoritative name servers. It is important, when analyzing the
100 privacy issues, to remember that the question asked to all these name
101 servers is always the original question, not a derived question.
102 Unlike what many "DNS for dummies" articles say, the question sent to
103 the root name servers is "What are the AAAA records for
104 www.example.com?", not "What are the name servers of .com?". By
105 repeating the full question, instead of just the relevant part of the
106 question to the next in line, the DNS provides more information than
107 necessary to the nameserver.
109 Because the DNS uses caching heavily, not all questions are sent to
110 the authoritative name servers. If the stub resolver, a few seconds
111 later, asks to the recursive resolver "What are the SRV records of
112 _xmpp-server._tcp.example.com?", the recursive resolver will remember
113 that it knows the name servers of example.com and will just query
114 them, bypassing the root and .com. Because there is typically no
115 caching in the stub resolver, the recursive resolver, unlike the
116 authoritative servers, sees everything.
118 It should be noted that DNS recursive resolvers sometimes forward
119 requests to bigger machines, with a larger and more shared cache, the
120 forwarders (and the query hierarchy can be even deeper, with more
121 than two levels of recursive resolvers). From the point of view of
122 privacy, forwarders are like resolvers, except that the caching in
123 the recursive resolvers before them decreases the amount of data they
124 can see.
126 All this DNS traffic is today sent in clear (unencryted), except a
127 few cases when the IP traffic is protected, for instance in an IPsec
128 VPN.
130 Today, almost all DNS queries are sent over UDP. This has practical
131 consequences, when considering a possible privacy technique,
132 encryption of the traffic: some encryption solutions are only
133 designed for TCP, not UDP.
135 Another important point to keep in mind when analyzing the privacy
136 issues of DNS is the mix of many sort of DNS requests received by a
137 server. Let's assume the eavesdropper wants to know which Web page
138 is viewed by an user. For a typical Web page displayed by the user,
139 there are three sorts of DNS requests being issued:
141 Primary request: this is the domain name in the URL that the user
142 typed or selected from a bookmark or choose by clicking on an
143 hyperlink. Presumably, this is what is of interest for the
144 eavesdropper.
146 Secondary requests: these are the additional requests performed by
147 the user agent (here, the Web browser) without any direct
148 involvement or knowledge of the user. For the Web, they are
149 triggered by embedded content, CSS sheets, JavaScript code,
150 embedded images, etc. In some cases, there can be dozens of
151 domain names in different contexts on a single Web page.
153 Tertiary requests: these are the additional requests performed by
154 the DNS system itself. For instance, if the answer to a query is
155 a referral to a set of name servers, and the glue is not returned,
156 the resolver will have to do tertiary requests to turn name
157 servers' names into IP addresses. Similarly, even if glue records
158 are returned, a careful recursive server will do tertiary requests
159 to verify the IP addresses of those records.
161 It can be noted also that, in the case of a typical Web browser, more
162 DNS requests are sent, for instance to prefetch resources that the
163 user may query later, or when autocompleting the URL in the address
164 bar (which obviously is a big privacy concern).
166 For privacy-related terms, we will use here the terminology of
167 [RFC6973].
169 2. Risks
171 This document focuses mostly on the study of privacy risks for the
172 end-user (the one performing DNS requests). We consider the risks of
173 pervasive surveillance ([RFC7258]) and also risks coming from a more
174 focused surveillance. Privacy risks for the holder of a zone (the
175 risk that someone gets the data) are discussed in [RFC5936]. Non-
176 privacy risks (such as cache poisoning) are out of scope.
178 2.1. The alleged public nature of DNS data
180 It has long been claimed that "the data in the DNS is public". While
181 this sentence makes sense for an Internet-wide lookup system, there
182 are multiple facets to the data and metadata involved that deserve a
183 more detailed look. First, access control lists and private
184 namespaces nonwithstanding, the DNS operates under the assumption
185 that public facing authoritative name servers will respond to "usual"
186 DNS queries for any zone they are authoritative for without further
187 authentication or authorization of the client (resolver). Due to the
188 lack of search capabilities, only a given qname will reveal the
189 resource records associated with that name (or that name's non-
190 existence). In other words: one needs to know what to ask for, in
191 order to receive a response. The zone transfer qtype [RFC5936] is
192 often blocked or restricted to authenticated/authorized access to
193 enforce this difference (and maybe for other, more dubious reasons).
195 Another differentiation to be considered is between the DNS data
196 itself and a particular transaction (i.e., a DNS name lookup). DNS
197 data and the results of a DNS query are public, within the boundaries
198 described above, and may not have any confidentiality requirements.
199 However, the same is not true of a single transaction or sequence of
200 transactions; that transaction is not/should not be public. A
201 typical example from outside the DNS world is: the Web site of
202 Alcoholics Anonymous is public; the fact that you visit it should not
203 be.
205 2.2. Data in the DNS request
207 The DNS request includes many fields but two of them seem
208 particularly relevant for the privacy issues, the qname and the
209 source IP address. "source IP address" is used in a loose sense of
210 "source IP address + maybe source port", because the port is also in
211 the request and can be used to sort out several users sharing an IP
212 address (behind a CGN for instance).
214 The qname is the full name sent by the user. It gives information
215 about what the user does ("What are the MX records of example.net?"
216 means he probably wants to send email to someone at example.net,
217 which may be a domain used by only a few persons and therefore very
218 revealing about communication relationships). Some qnames are more
219 sensitive than others. For instance, querying the A record of
220 google-analytics.com reveals very little (everybody visits Web sites
221 which use Google Analytics) but querying the A record of
222 www.verybad.example where verybad.example is the domain of an illegal
223 or very offensive organization may create more problems for the user.
224 Also, sometimes, the qname embeds the software one uses, which could
225 be a privacy issue. For instance, _ldap._tcp.Default-First-Site-
226 Name._sites.gc._msdcs.example.org. There are also some BitTorrent
227 clients that query a SRV record for _bittorrent-
228 tracker._tcp.domain.example.
230 Another important thing about the privacy of the qname is the future
231 usages. Today, the lack of privacy is an obstacle to putting
232 potentially sensitive or personally identifiable data in the DNS. At
233 the moment your DNS traffic might reveal that you are doing email but
234 not with whom. If your MUA starts looking up PGP keys in the DNS
235 [I-D.wouters-dane-openpgp] then privacy becomes a lot more important.
236 And email is just an example; there would be other really interesting
237 uses for a more privacy-friendly DNS.
239 For the communication between the stub resolver and the recursive
240 resolver, the source IP address is the address of the user's machine.
241 Therefore, all the issues and warnings about collection of IP
242 addresses apply here. For the communication between the recursive
243 resolver and the authoritative name servers, the source IP address
244 has a different meaning; it does not have the same status as the
245 source address in a HTTP connection. It is now the IP address of the
246 recursive resolver which, in a way "hides" the real user. However,
247 hiding does not always work. Sometimes
248 [I-D.vandergaast-edns-client-subnet] is used (see its privacy
249 analysis in [denis-edns-client-subnet]). Sometimes the end user has
250 a personal recursive resolver on her machine. In both cases, the IP
251 address is as sensitive as it is for HTTP.
253 A note about IP addresses: there is currently no IETF document which
254 describes in detail the privacy issues of IP addressing. In the
255 meantime, the discussion here is intended to include both IPv4 and
256 IPv6 source addresses. For a number of reasons their assignment and
257 utilization characteristics are different, which may have
258 implications for details of information leakage associated with the
259 collection of source addresses. (For example, a specific IPv6 source
260 address seen on the public Internet is less likely than an IPv4
261 address to originate behind a CGN or other NAT.) However, for both
262 IPv4 and IPv6 addresses, it's important to note that source addresses
263 are propagated with queries and comprise metadata about the host,
264 user, or application that originated them.
266 2.3. Cache snooping
268 The content of recursive resolvers' caches can reveal data about the
269 clients using it (the privacy risks depend on the number of clients).
270 This information can sometimes be examined by sending DNS queries
271 with RD=0 to inspect cache content, particularly looking at the DNS
272 TTLs. Since this also is a reconnaissance technique for subsequent
273 cache poisoning attacks, some counter measures have already been
274 developed and deployed.
276 2.4. On the wire
278 DNS traffic can be seen by an eavesdropper like any other traffic.
279 It is typically not encrypted. (DNSSEC, specified in [RFC4033]
280 explicitly excludes confidentiality from its goals.) So, if an
281 initiator starts a HTTPS communication with a recipient, while the
282 HTTP traffic will be encrypted, the DNS exchange prior to it will not
283 be. When other protocols will become more and more privacy-aware and
284 secured against surveillance, the DNS risks to become "the weakest
285 link" in privacy.
287 An important specificity of the DNS traffic is that it may take a
288 different path than the communication between the initiator and the
289 recipient. For instance, an eavesdropper may be unable to tap the
290 wire between the initiator and the recipient but may have access to
291 the wire going to the recursive resolver, or to the authoritative
292 name servers.
294 The best place to tap, from an eavesdropper's point of view, is
295 clearly between the stub resolvers and the recursive resolvers,
296 because traffic is not limited by DNS caching.
298 The attack surface between the stub resolver and the rest of the
299 world can vary widely depending upon how the end user's computer is
300 configured. By order of increasing attack surface:
302 The recursive resolver can be on the end user's computer. In
303 (currently) a small number of cases, individuals may choose to
304 operate their own DNS resolver on their local machine. In this case
305 the attack surface for the connection between the stub resolver and
306 the caching resolver is limited to that single machine.
308 The recursive resolver may be at the local network edge. For many/
309 most enterprise networks and for some residential users the caching
310 resolver may exist on a server at the edge of the local network. In
311 this case the attack surface is the local network. Note that in
312 large enterprise networks the DNS resolver may not be located at the
313 edge of the local network but rather at the edge of the overall
314 enterprise network. In this case the enterprise network could be
315 thought of as similar to the IAP network referenced below.
317 The recursive resolver can be in the IAP (Internet Access Provider)
318 premises. For most residential users and potentially other networks
319 the typical case is for the end user's computer to be configured
320 (typically automatically through DHCP) with the addresses of the DNS
321 recursive resolvers at the IAP. The attack surface for on-the-wire
322 attacks is therefore from the end user system across the local
323 network and across the IAP network to the IAP's recursive resolvers.
325 The recursive resolver can be a public DNS service. Some machines
326 may be configured to use public DNS resolvers such as those operated
327 by Google Public DNS or OpenDNS. The end user may have configured
328 their machine to use these DNS recursive resolvers themselves - or
329 their IAP may have chosen to use the public DNS resolvers rather than
330 operating their own resolvers. In this case the attack surface is
331 the entire public Internet between the end user's connection and the
332 public DNS service.
334 2.5. In the servers
336 Using the terminology of [RFC6973], the DNS servers (recursive
337 resolvers and authoritative servers) are enablers: they facilitate
338 communication between an initiator and a recipient without being
339 directly in the communications path. As a result, they are often
340 forgotten in risk analysis. But, to quote again [RFC6973], "Although
341 [...] enablers may not generally be considered as attackers, they may
342 all pose privacy threats (depending on the context) because they are
343 able to observe, collect, process, and transfer privacy-relevant
344 data." In [RFC6973] parlance, enablers become observers when they
345 start collecting data.
347 Many programs exist to collect and analyze DNS data at the servers.
348 From the "query log" of some programs like BIND, to tcpdump and more
349 sophisticated programs like PacketQ [packetq] and DNSmezzo
350 [dnsmezzo]. The organization managing the DNS server can use these
351 data itself or it can be part of a surveillance program like PRISM
352 [prism] and pass data to an outside observer.
354 Sometimes, these data are kept for a long time and/or distributed to
355 third parties, for research purposes [ditl], for security analysis,
356 or for surveillance tasks. Also, there are observation points in the
357 network which gather DNS data and then make it accessible to third-
358 parties for research or security purposes ("passive DNS
359 [passive-dns]").
361 2.5.1. In the recursive resolvers
363 Recursive Resolvers see all the traffic since there is typically no
364 caching before them. To summarize: your recursive resolver knows a
365 lot about you. The resolver of a large IAP, or a large public
366 resolver can collect data from many users. You may get an idea of
367 the data collected by reading the privacy policy of a big public
368 resolver [1].
370 2.5.2. In the authoritative name servers
372 Unlike what happens for recursive resolvers, observation capabilities
373 of authoritative name servers are limited by caching; they see only
374 the requests for which the answer was not in the cache. For
375 aggregated statistics ("What is the percentage of LOC queries?"),
376 this is sufficient; but it prevents an observer from seeing
377 everything. Still, the authoritative name servers see a part of the
378 traffic, and this subset may be sufficient to violate some privacy
379 expectations.
381 Also, the end user has typically some legal/contractual link with the
382 recursive resolver (he has chosen the IAP, or he has chosen to use a
383 given public resolver), while having no control and perhaps no
384 awareness of the role of the authoritative name servers and their
385 observation abilities.
387 It is an interesting question whether the privacy issues are bigger
388 in the root or in a large TLD. The root sees the traffic for all the
389 TLDs (and the huge amount of traffic for non-existing TLDs), but a
390 large TLDs has less caching before it.
392 As noted before, using a local resolver or a resolver close to the
393 machine decreases the attack surface for an on-the-wire eavesdropper.
394 But it may decrease privacy against an observer located on an
395 authoritative name server. This authoritative name server will see
396 the IP address of the end client, instead of the address of a big
397 recursive resolver shared by many users.
399 This "protection", when using a large resolver with many clients, is
400 no longer present if [I-D.vandergaast-edns-client-subnet] is used
401 because, in this case, the authoritative name server sees the
402 original IP address (or prefix, depending on the setup).
404 As of today, all the instances of one root name server, L-root,
405 receive together around 20,000 queries per second. While most of it
406 is junk (errors on the TLD name), it gives an idea of the amount of
407 big data which pours into name servers.
409 Many domains, including TLDs, are partially hosted by third-party
410 servers, sometimes in a different country. The contracts between the
411 domain manager and these servers may or may not take privacy into
412 account. Whatever the contract, the third-party hoster may be honest
413 or not but, in any case, it will have to follow its local laws. It
414 may be surprising for an end-user that requests to a given ccTLD may
415 go to servers managed by organisations outside of the country.
417 Also, it seems (TODO: actual numbers requested) that there is a
418 strong concentration of authoritative name servers among "popular"
419 domains (such as the Alexa Top N list). With the control (or the
420 ability to sniff the traffic) of a few name servers, you can gather a
421 lot of information.
423 2.5.3. Rogue servers
425 A rogue DHCP server, or a trusted DHCP server that has had its
426 configuration altered by malicious parties, can direct you to a rogue
427 recursive resolver. Most of the times, it seems to be done to divert
428 traffic, by providing lies for some domain names. But it could be
429 used just to capture the traffic and gather information about you.
430 Same thing for malware like DNSchanger[dnschanger] which changes the
431 recursive resolver in the machine's configuration, or with
432 transparent DNS proxies in the network that will divert the traffic
433 intended for a legitimate DNS server (for instance
434 [turkey-googledns]).
436 3. Actual "attacks"
438 A very quick examination of DNS traffic may lead to the false
439 conclusion that extracting the needle from the haystack is difficult.
440 "Interesting" primary DNS requests are mixed with useless (for the
441 eavesdropper) second and tertiary requests (see the terminology in
442 Section 1). But, in this time of "big data" processing, powerful
443 techniques now exist to get from the raw data to what you're actually
444 interested in.
446 Many research papers about malware detection use DNS traffic to
447 detect "abnormal" behaviour that can be traced back to the activity
448 of malware on infected machines. Yes, this research was done for the
449 good but, technically, it is a privacy attack and it demonstrates the
450 power of the observation of DNS traffic. See [dns-footprint],
451 [dagon-malware] and [darkreading-dns].
453 Passive DNS systems [passive-dns] allow reconstruction of the data of
454 sometimes an entire zone. It is used for many reasons, some good,
455 some bad. It is an example of a privacy issue even when no source IP
456 address is kept.
458 4. Legalities
460 To our knowledge, there are no specific privacy laws for DNS data.
461 Interpreting general privacy laws like [data-protection-directive]
462 (European Union) in the context of DNS traffic data is not an easy
463 task and it seems there is no court precedent here.
465 5. Security considerations
467 This document is entirely about security, more precisely privacy. It
468 just lays down the problem, it does not try to set requirments (with
469 the choices and compromises they imply), much less to define
470 solutions. A document on requirments for DNS privacy is
471 [I-D.hallambaker-dnse]. Possible solutions to the issues described
472 here are discussed in other documents (currently too many to be
473 listed here).
475 6. Acknowledgments
477 Thanks to Nathalie Boulvard and to the CENTR members for the original
478 work which leaded to this document. Thanks to Ondrej Sury for the
479 interesting discussions. Thanks to Mohsen Souissi and John Heidemann
480 for proofreading, to Paul Hoffman, Marcos Sanz and Warren Kumari for
481 proofreading, technical remarks, and many readability improvements.
482 Thanks to Dan York, Suzanne Woolf, Tony Finch, Peter Koch and Frank
483 Denis for good written contributions.
485 7. References
487 7.1. Normative References
489 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
490 STD 13, RFC 1034, November 1987.
492 [RFC1035] Mockapetris, P., "Domain names - implementation and
493 specification", STD 13, RFC 1035, November 1987.
495 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
496 Requirement Levels", BCP 14, RFC 2119, March 1997.
498 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
499 Morris, J., Hansen, M., and R. Smith, "Privacy
500 Considerations for Internet Protocols", RFC 6973, July
501 2013.
503 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
504 Attack", BCP 188, RFC 7258, May 2014.
506 7.2. Informative References
508 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
509 Rose, "DNS Security Introduction and Requirements", RFC
510 4033, March 2005.
512 [RFC5936] Lewis, E. and A. Hoenes, "DNS Zone Transfer Protocol
513 (AXFR)", RFC 5936, June 2010.
515 [I-D.vandergaast-edns-client-subnet]
516 Contavalli, C., Gaast, W., Leach, S., and E. Lewis,
517 "Client Subnet in DNS Requests", draft-vandergaast-edns-
518 client-subnet-02 (work in progress), July 2013.
520 [I-D.hallambaker-dnse]
521 Hallam-Baker, P., "DNS Privacy and Censorship: Use Cases
522 and Requirements.", draft-hallambaker-dnse-01 (work in
523 progress), May 2014.
525 [I-D.wouters-dane-openpgp]
526 Wouters, P., "Using DANE to Associate OpenPGP public keys
527 with email addresses", draft-wouters-dane-openpgp-02 (work
528 in progress), February 2014.
530 [I-D.hoffman-dns-terminology]
531 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
532 Terminology", draft-hoffman-dns-terminology-00 (work in
533 progress), November 2014.
535 [dprive] IETF, DPRIVE., "The DPRIVE working group", March 2014,
536 .
538 [denis-edns-client-subnet]
539 Denis, F., "Security and privacy issues of edns-client-
540 subnet", August 2013, .
543 [dagon-malware]
544 Dagon, D., "Corrupted DNS Resolution Paths: The Rise of a
545 Malicious Resolution Authority", 2007, .
549 [dns-footprint]
550 Stoner, E., "DNS footprint of malware", October 2010,
551 .
554 [darkreading-dns]
555 Lemos, R., "Got Malware? Three Signs Revealed In DNS
556 Traffic", May 2013,
557 .
560 [dnschanger]
561 Wikipedia, , "DNSchanger", November 2011,
562 .
564 [packetq] Dot SE, , "PacketQ, a simple tool to make SQL-queries
565 against PCAP-files", 2011,
566 .
568 [dnsmezzo]
569 Bortzmeyer, S., "DNSmezzo", 2009,
570 .
572 [prism] NSA, , "PRISM", 2007, .
575 [ditl] CAIDA, , "A Day in the Life of the Internet (DITL)", 2002,
576 .
578 [turkey-googledns]
579 Bortzmeyer, S., "Hijacking of public DNS servers in
580 Turkey, through routing", 2014,
581 .
584 [data-protection-directive]
585 Europe, , "European directive 95/46/EC on the protection
586 of individuals with regard to the processing of personal
587 data and on the free movement of such data", November
588 1995, .
591 [passive-dns]
592 Weimer, F., "Passive DNS Replication", April 2005,
593 .
595 [tor-leak]
596 Tor, , "DNS leaks in Tor", 2013,
597 .
601 [yanbin-tsudik]
602 Yanbin, L. and G. Tsudik, "Towards Plugging Privacy Leaks
603 in the Domain Name System", 2009,
604 .
606 [castillo-garcia]
607 Castillo-Perez, S. and J. Garcia-Alfaro, "Anonymous
608 Resolution of DNS Queries", 2008,
609 .
611 [fangming-hori-sakurai]
612 Fangming, , Hori, Y., and K. Sakurai, "Analysis of Privacy
613 Disclosure in DNS Query", 2007,
614 .
616 [federrath-fuchs-herrmann-piosecny]
617 Federrath, H., Fuchs, K., Herrmann, D., and C. Piosecny,
618 "Privacy-Preserving DNS: Analysis of Broadcast, Range
619 Queries and Mix-Based Protection Methods", 2011,
620 .
623 7.3. URIs
625 [1] https://developers.google.com/speed/public-dns/privacy
627 Author's Address
629 Stephane Bortzmeyer
630 AFNIC
631 1, rue Stephenson
632 Montigny-le-Bretonneux 78180
633 France
635 Phone: +33 1 39 30 83 46
636 Email: bortzmeyer+ietf@nic.fr
637 URI: http://www.afnic.fr/