<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Because getting each ISP in the world to comply with NSA monitoring requests was too hard, instead they get to centralize the full list of every website the everyone in the world visits on a single fleet of servers in Cloudflare's datacenters. This means we only need to compromise one person to monitor the world, saving the US taxpayer significantly. Progress!</div><div dir="ltr"><br></div><div dir="ltr">Matt</div><div dir="ltr"><br>On Sep 18, 2019, at 16:19, Mike Hammett <<a href="mailto:nanog@ics-il.net">nanog@ics-il.net</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000">Why on Earth would anyone want that (Firefox deciding to do it's own DNS) as default behavior?<br><br><div><span name="x"></span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:!important;float:none">-----</span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:!important;float:none">Mike Hammett</span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.ics-il.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">Intelligent Computing Solutions</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/ICSIL" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png"></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/googleicon.png"></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/linkedinicon.png"></a><a href="https://twitter.com/ICSIL" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/twittericon.png"></a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.midwest-ix.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">Midwest Internet Exchange</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/mdwestix" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png"></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/linkedinicon.png"></a><a href="https://twitter.com/mdwestix" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/twittericon.png"></a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.thebrotherswisp.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">The Brothers WISP</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/thebrotherswisp" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png"></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/youtubeicon.png"></a><span name="x"></span><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jeroen Massar" <<a href="mailto:jeroen@massar.ch">jeroen@massar.ch</a>><br><b>To: </b>"NANOG" <<a href="mailto:nanog@nanog.org">nanog@nanog.org</a>><br><b>Sent: </b>Wednesday, September 18, 2019 2:15:49 AM<br><b>Subject: </b>DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users<br><br>Hi Folks,<br><br>While in the US soon all Firefox users will *NOT* use your DNS Recursives configured using DHCP anymore<br>(NXDOMAIN <a href="http://use-application-dns.net">use-application-dns.net</a> to avoid that[1]).<br>Next to that, it seems some of the root operators are now creating instances in the same networks that offer these kind of services for globally figuring out what queries are being made.<br><br><br>For those that thus either opt-out or otherwise want to use their own system resolvers, I suggest that all that run<br>DNS Recursive setups enable "QNAME minimization" as defined in (experimental) RFC7816 [2]<br><br>For pdns "qname-minimization=yes" [6]<br>For unbound "qname­-minimisation: yes" [5]<br>For BIND "qname-minimization" option [3] and [4]<br><br>Of course, do also provider your users with the option of using DoT or even DoH on your recursors...<br><br>Noting that DoH operators are supposed to enable RFC7816 also [7], guess they do not want others to see all the details they get...<br><br>Some more details in DNS Privacy Wiki [8]...<br><br>Discuss! :)<br><br>Greets,<br> Jeroen<br><br><br>[1] <a href="https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https">https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https</a><br>[2] <a href="https://tools.ietf.org/html/rfc7816">https://tools.ietf.org/html/rfc7816</a><br>[3] <a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">https://www.isc.org/blogs/qname-minimization-and-privacy/</a><br>[4] <a href="https://gitlab.isc.org/isc-projects/bind9/issues/16">https://gitlab.isc.org/isc-projects/bind9/issues/16</a><br>[5] <a href="https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf</a><br>[6] <a href="https://github.com/PowerDNS/pdns/issues/2311">https://github.com/PowerDNS/pdns/issues/2311</a><br>[7] <a href="https://wiki.mozilla.org/Security/DOH-resolver-policy">https://wiki.mozilla.org/Security/DOH-resolver-policy</a><br>[8] <a href="https://dnsprivacy.org/wiki/">https://dnsprivacy.org/wiki/</a><br></div><br></div></div></blockquote></body></html>