[GTALUG] CIRA officially launches free DNS firewall for consumers | IT World Canada News

Alvin Starr alvin at netvel.net
Tue Apr 28 10:02:39 EDT 2020 

On 4/28/20 9:16 AM, ac wrote:
> On Tue, 28 Apr 2020 08:13:11 -0400
> Alvin Starr <alvin at netvel.net> wrote:
> <snip so many cool things around here somewhere>
>> How about DNS over TOR?
>>
> as usual, LOVE the way you think :)
>
> How about just plain old DNSSEC?
> (instead of a nanny) - yay, IT Works! - and is so mature
> already...(without all the risks of having/using a nanny)
I thought DNSSEC was more to secure the content of the query and not the 
communication channel.
But I my DNSSEC knowledge is spotty at best.

>
> and using connectivity providers (instead of third parties and dns over
> https) -- for caching/recursive, like Bell (Bell CA actually does not
> track/record/monetise their users DNS querries afaik)
All the Canadian carriers will always work to maximize their profit 
because they are obligated to by their shareholders.
So always assume they are monetizing anything they can even in the face 
of public denials.
They all perform deep packet inspection so assume anything the is in the 
clear will be monetized.
I am not saying they are evil.
Its just that their profit motive may not be in the end users best interest.


>
> Problems all solved?
>
>>> my further opinions are that any "nanny" type "free" service where
>>> someone else decides what and where i may or may not go or what i
>>> may or may not see, needs to be either well
>>> regulated/controlled/open/published/etc or simply not be
>>> accepted...
>> Sometimes nannies are good things.
> yes, nannies are 'sometimes' good things, but for some people BAD
> nannies are sometimes even better :)
Are you thinking of the Nanny from Queen's Fat Bottomed Girls?

>
>> People without the wherewithal or interest in managing their own
>> security likely are in need of a nanny.
>>
> again, dnssec already protects users, it just needs wider adoption,
> which is the issue.. .as for "shared" domains like outlook.com - abuse
> management costs will increase? - which is probably why dnssec has
> never caught on, it is not "sexy" (like some nannies...)
>
I have had mixed luck with DNSSEC from the point of view of internal 
implementation and have fallen back to SEC-less.

As a side story.
DNS(bind) has been SO reliable over the years that people have not 
upgraded their software.
A month or so ago a few customers had their DNS partly break because the 
old DNSSEC root keys were removed.
The solution was to turn off DNSSEC till they were able to upgrade the 
software.


>>> anyway, i am probably a minority as i also do not like/use/support
>>> very popular and world dominating services such as 'whatsapp' and i
>>> do not tweet or post photos of my food on insta and i have zero
>>> tiktok vids
>> I have a feeling your take is not a minority on this list.
> ooh, warm & fuzzies to you too, I have a home *sigh*  :)
>
Ya. Safe at home some times feels like locked in trying to avoid the 
zombie apocalypse.

-- 
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

More information about the talk mailing list