undefined | Better HN

0 pointsDylan168077y ago0 comments

The second level domain under com is the important part 95% of the time.

0 comments

3 comments · 1 top-level

pdkl957y ago· 2 in thread

> This is cached, often for longer than the record's specified TTL.

NS records don't change very often. They can see that I looked up the delegation data about "example.com" once every $CACHE_TTL (~months). They do not get repeated queries at the beginning of every session I have with a website.

A lot of security is about being in the habit of minimizing attack surface. The only thing a TLD (or ISP) nameserver needs to know if I want to use the Doomain Name System is "pdkl95 asked for example.com's nameserver once last month" Instead of giving Google (or whomever) an update e.g.:

    ;; ANSWER SECTION:
    news.ycombinator.com.  300  IN  A  209.216.230.240

...every 5 minutes. This is not trying to stop someone discovering that I have ever been a domain; I'm limiting the ability to model my pattern of life[1].

[1] https://en.wikipedia.org/wiki/Pattern-of-life_analysis

Dylan16807OP7y ago

So what I get out of this is that your system protects your privacy because it uses a custom TTL, and not really because you run a recursive resolver. It helps reduce errors, but you could get almost the same effect with a pure cache.

pdkl957y ago

No, I'm still requesting the A/AAAA records at the normal TTL rate. This doesn't expose useful information, because those queries are sent directly to the domain's nameserver. The domain learns that data point anyway from the TCP SYN packet I'm probably sending immediately after I learn the A/AAAA record.

Separating the requests allows for different cache policies. If you simply delegate the entire recursive resolution work to Google (or whomever), they get to record that you needed "www.example.com" every TTL (5min?). You don't even need to see the domain's NS records in that case, so there isn't an opportunity to choose a cache policy.

1 more reply

j / k navigate · click thread line to collapse