upvote

points

by 8organicbits8 hours ago |
comments
upvoteby embedding-shape8 hours ago|
[-]
> No man-in-the-middle is needed [...] Check out passive DNS

How does one execute this "passive DNS" without quite literally being on the receiving end, or at least sitting in-between the sending and receiving end? You're quite literally describing what I'm saying, which makes it less of a "leak" and more like "others might collect your data, even your ISP", which I'd say would be accurate than "your DNS leaks".

reply
upvoteby 8organicbits8 hours ago|
parent|
[-]
There's a lot of online documentation about passive DNS. Here's one example

> Passive DNS is a historical database of how domains have resolved to IP addresses over time, collected from recursive DNS servers around the world. It has been an industry-standard tool for more than a decade.

> Spamhaus’ Passive DNS cluster handles more than 200 million DNS records per hour and stores hundreds of billions of records per month, providing you with access to a vast lake of threat intelligence data.

https://www.spamhaus.com/resource-center/what-is-passive-dns...

reply
upvoteby embedding-shape7 hours ago|
parent|
next
[-]
> collected from recursive DNS servers around the world

Yes, of course, because those DNS servers are literally receiving the queries, eg "receiving the data".

Again, there is nothing "leaking" here, that's like saying you leak what HTTP path you're requesting to a server, when you're sending a HTTP request to that server. Of course, that's how the protocol works!

reply
upvoteby 8organicbits6 hours ago|
parent|
[-]
I think you are hung up on the word "leak".

Putting a secret subdomain in a DNS query shares it with the recursive resolver, who's privacy policy may permit them to share it with others. This is a common practice and attackers have access to the aggregated datasets. You are correct that third-party web servers or CDN could share your HTTP path, but I am not aware of any examples and most privacy policies should prohibit them from doing so. If your web server provider or CDN do this, change providers. DNS recursive resolvers are chosen client side, so you can't always choose which one handles the query. Even privacy-focused DNS recursive resolvers share anonymized query data. They remove the source IP address, since it's PII, but still "leak" the secret subdomain.

Any time you send secret data such that it travels to an attacker visible dataset it is vulnerable to attack. I call that a leak but we can use a different term.

reply
upvoteby embedding-shape5 hours ago|
parent|
[-]
> I think you are hung up on the word "leak".

What gave you that idea? Maybe because my initial comment started with:

> "Leak" is maybe a bit over-exaggerated...

And continues with about why I think so?

I raised this sub-thread specifically because I got hung up on "leak", that's entire point of the conversation in my mind.

reply
upvoteby NetMageSCW4 hours ago|
parent|
prev|
[-]
So nothing to do with your DNS queries at all? Why did you bring it up?
reply