How much of our IP addresses are leaked by Sonic's DNS servers?

Advanced feature discussion, beta programs and unsupported "Labs" features.
11 posts Page 1 of 2
by forest » Mon Sep 30, 2019 4:23 pm
Can someone at Sonic state officially whether our DNS servers implement the EDNS Client Subnet extension, and if so, how many bits of our network addresses are exposed?

With Firefox about to switch most users over to DNS over HTTPS by default, thereby sending our domain name lookups to CloudFlare instead of Sonic unless we act to prevent it, I find myself answering more questions lately about whether this is a good thing.

My first thought was that it's a terrible idea, not only because Mozilla is pushing a privacy-sensitive configuration change onto users without getting explicit permission, but also because the change seemed to merely shift the exposure from our ISP to another party (which could be less trustworthy) rather than actually reducing exposure. However, Mozilla justifies it in part by claiming that traditional DNS reveals most of our IP addresses to every authoritative server and intermediate network involved in every recursive DNS lookup. They are apparently referring to EDNS Client Subnet, which is new to me, and brings me to the question I asked above.

IMHO, this information is relevant to Sonic's mission, and should be easy for customers to find. Perhaps even include a link to it alongside the data retention statement in the privacy policy.

For anyone reading along who wants to disable DoH in Firefox, you can do so before it becomes the default, by setting network.trr.mode to 5.
by kgc » Mon Sep 30, 2019 7:03 pm
I'm glad you asked. My personal take is that for Sonic customers on Sonic's network is that it's a terrible horrible idea to enable DOH. There's several reasons for it including both performance and privacy/security. On the performance front, we've gone to great effort to ensure that our DNS servers provide the highest reliability, lowest latency and highest performance possible to our customers. Short of being directly peered (we do peer with Google in San Jose) it's not possible for a third party DNS provider to be as low latency as our own on-net servers.

On the privacy front, I think the adage that "if you're not paying for it, you're the product" is apt. I have no specific knowledge of what Google does with the DNS data that they receive and can only project what I would do with it if I was running one of the world's largest ad companies and was poised to receive (by default?) a substantial portion of the world's DNS traffic from Chrome and Firefox. Perhaps Cloudflare isn't interested in the content but perhaps they'll see it as monetizable.

At this time we do not do anything with the EDNS Client Subnet extension. I'll be honest that I'm not certain if we'll relay the options if it is set by a client but we are not definitely not adding them to requests on behalf of clients. I'm not aware of any particular compelling value to our customers of them being added at this time.

As you note, the question really comes down to who you consider more trustworthy. I hope you conclude that it's Dane, Nathan, myself and the rest of Sonic. If, however, you were living under an oppressive regime or under forced internet censorship like the UK and could not trust your network provider or State to be acting in your best interest I'd suggest that DOH was a good thing.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by virtualmike » Mon Sep 30, 2019 9:55 pm
What about those of us using IP Broadband?
by forest » Mon Sep 30, 2019 11:07 pm
Thanks for the thoughtful answer, Kelsey, and to you and the rest of the team for continuing to look out for us all.
by kgc » Tue Oct 01, 2019 9:29 am
I think I may have come off as a little alarmist with regards to Google so I'd like to walk that back a bit. If you're curious, their blog post about the experiments they're running is here https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html. I don't have a problem with this approach whereas Firefox's is disappointing.

It's worth noting that most coverage of it that I've seen is positive, but I think that says more about how much people trust their ISPs than anything else which is a sad state of affairs.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by kgc » Tue Oct 01, 2019 10:15 am
virtualmike wrote:
What about those of us using IP Broadband?


That's a good question Mike which I think becomes more more generalized. There's always the VPN service and there are always more creative solutions of selectively running traffic over it if there's performance issues with/regards to the maximum throughput of the service.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by virtualmike » Tue Oct 01, 2019 9:26 pm
Thanks, Kelsey! I was thinking along the lines of "do you trust your ISP?" I should have been clearer.

I know that Sonic's agreement with AT&T limits what AT&T can do with our browsing data, and I'd assume that the DNS data is considered part of that. But I'm curious whether I can really trust my ISP?
by forest » Tue Oct 01, 2019 10:33 pm
If you're using AT&T's DNS servers, the question relevant to this thread is not how AT&T uses your DNS data, but whether they include some or all of your IP address in the DNS queries sent to (and through) various external servers on your behalf.

If I had a relationship with AT&T, I would ask them, or test it myself. (Or both, since I probably wouldn't take them at their word.)
by ankh » Mon Oct 07, 2019 2:41 pm
Long ago I was a Netcom customer.
The night after Earthlink bought Netcom, everyone's file permissions were reset to world-readable.
It was curious. And made those critical of Scientology rather nervous, as I recall.

The thing about privacy, permissions, and trust is that the world can change overnight.
by kgc » Wed Dec 04, 2019 3:44 pm
Bert over a PowerDNS put a good post up about DoH that's worth reading. https://blog.powerdns.com/2019/12/03/do ... y-aspects/
Kelsey Cummings
System Architect, Sonic.net, Inc.
11 posts Page 1 of 2

Who is online

In total there are 0 users online :: 0 registered, 0 hidden and 0 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 0 guests