EDNS(0) Privacy Revisions May Be Ahead

Apr. 6, 2017  |  By Yacin Nadji

A working group of the Internet Engineering Task Force (IETF) recently proposed embedding a client identifier in DNS requests to enable custom, behind-the-NAT filters (think parental controls down to the device- or user-level). This is not a new idea, and is already being done to some degree by companies -- such as PowerDNS, OpenDNS, and Akamai -- by either using unique identifiers or MAC addresses stuffed into DNS requests. While intentions are benign, there may be unaddressed privacy issues. Admittedly, these data are not readily available, but could be monetized and made more prevalent. Furthermore, similar research data has been used for non-research purposes in the past raising concerns the data may be used irresponsibly in the future.

IISP Analyst Yacin Nadji: “I cannot stress enough that collecting DNS has a clear security benefit, but this must be balanced with responsible collection and use of the data, as well as restraint when pushing new standards. Luckily, the IETF draft process allows industry and academic experts to weigh in on new extensions precisely to prevent these problems from arising.

It's hard to make concrete recommendations without additional research, but there are some obvious moves one can make. Using a MAC address seems unnecessary when a unique identifier can simply be generated that does not directly represent a physical device. Researchers collecting data should consider hashing MAC addresses if they are used and examine other schemes for privacy leakage. If the data are being sold for other reasons, this identifying information should be stripped out."


For further reading


More by the author(s)