DNS |
Sponsored by |
|
The recent news that Mozilla and Cloudflare are deploying their own DNS recursive resolver has once again raised hopes that users will enjoy improved privacy, since they can send DNS traffic encrypted to Cloudflare, rather than to their ISP. In this post, we explain why this approach only moves your private data from the ISP to (yet another) third party. You might trust that third party more than your ISP, but you still have to trust them. In this post, we present an alternative design -- Oblivious DNS -- that prevents you from having to make that choice at all. more
Two principles in computer security that help bound the impact of a security compromise are the principle of least privilege and the principle of minimum disclosure or need-to-know. As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, "Every program and every privileged user should operate using the least amount of privilege necessary to complete the job." more
Around 350 attendees came from Russia in the east to Ireland in the west, as well as a few people from elsewhere around the globe, to attend Domain Pulse 2008 in Vienna on February 21 and 22. Day one's focus was internet governance. The future of the DNS was one of the key issues addressed by Michael Nelson of Georgetown University in Washington DC, with domain names becoming less important, but their numbers still increasing, as online access by a myriad of devices skyrockets connect -- everything from the television, refrigerator, washing machine, pets, sprinkler systems and cars. more
Traceroute is a network tool that helps determine the path packets take as they travel from one location to another, identifying all of the "hops" along the way. I wonder why they are called hops*? Almost all operating systems have traceroute utilities built in. The command is just that "traceroute", Windows systems abbreviate the command as "tracert" to deal with the 8.3 file naming convention of old... So, let's look at what information traceroute gives you. more
The London School of Economics review of the GNSO was recently released by ICANN. ...The review is refreshing. But first, a pause: Do you know what the GNSO is or what it does? Do ICANN's processes seem difficult to understand? I bet (unless you've been going to ICANN meetings) you don't know much about this. And the focus of the report on the impenetrability of ICANN's work is refreshing and very useful. more
The astonishing rise and rise of the fortunes of Google has been one of the major features of both social and business life of the early 21st century. In the same way that Microsoft transformed the computer market into a mainstream consumer product through its Windows and Office software products some 20 years ago, Google has had a similar transformative effect upon its environment. more
Just when you think ICANN has got it right, it shoots itself in the foot as only ICANN can. Unfortunately it seems this is yet another case of one step forward and two steps back. While we should be celebrating the fact that Internationalised Domain Names (IDN's) have finally been entered into the Root Zone, we are instead left shaking our heads at the seemingly nonexistent process lines nor communication lines between ICANN and its technical off-shoot IANA. more
In order to be able to reply to the question of whether a new set of governance mechanisms are necessary to regulate the new Global Top Level Domains (gTLDs), one should first consider how efficiently the current Uniform Domain-Name Dispute-Resolution Policy (UDRP) from the Internet Corporation for Assigned Names and Numbers (ICANN) has performed and then move to the evaluation of the Implementations Recommendations Team (ITR) recommendations. more
In preparation for some upcoming long-haul international flights, I was looking for some "light" ICANN reading material. One document that came to mind was ICANN's 2010 Annual Report. Over the last four years ICANN has produced a year end report. While this document was probably originally conceived as a means to demonstrate ICANN's progress... more
The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that "DoT could realistically become a viable replacement for DNSSEC." If provoking a reaction was indeed Willem's intention, then he has succeeded for me, as it has prompted this reaction. more
A couple of weeks ago, NetworkWorld published an article indicating that the .com TLD was the riskiest TLD in terms of containing code that can steal passwords or take advantage of browser vulnerabilities to distribute malware... It is unclear to me what they mean by TLD's being risky. The number of domains, 31.3% of .com's being considered risky, what does this actually mean? Is it that 31% of .com's are actually serving up malware or something similar? If so, that seems like a lot because for many of us, nearly 1 in every 3 pages that most people visit would be insecure... more
March has seen the first of the DNS Operations, Analysis, and Research Center (OARC) workshops for the year, where two days of too much DNS is just not enough! These workshops are concentrated within two days of presentations and discussions that focus exclusively on the current state of the DNS. Here are my impressions of the meeting. more
DNS tunneling -- the ability to encode the data of other programs or protocols in DNS queries and responses -- has been a concern since the late 1990s. If you don't follow DNS closely, however, DNS tunneling likely isn't an issue you would be familiar with. Originally, DNS tunneling was designed simply to bypass the captive portals of Wi-Fi providers, but as with many things on the Web it can be used for nefarious purposes. For many organizations, tunneling isn't even a known suspect and therefore a significant security risk. more
Because DNS is such an omnipresent part of modern networking, it's easy to assume that functional DNS infrastructure can be left running with minimal adjustments and only needs to be investigated in the event of a malfunction. Yet there are small telltale signs that precede DNS issues -- and knowing what they are can help to prevent disruption before it happens. more
I've mentioned the topic of personal IE domains on here more than once in the past [also discussed here on CircleID] and in my conversations with the IE Domain Registry. Just to recap; Under the current rules you cannot register johndoe.ie if your name is John Doe. You would have to add a number to the name, thus rendering it totally useless eg. johndoe7.ie or something of that style... more
A World-Renowned Source for Internet Developments. Serving Since 2002.