Yes, somebody IS getting "extra information", because now the DNS does not generally know the IP ("caller id") of whoever is making the request.
As I said,
Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway.
Who runs Google's DNS servers? Google. Who runs Yahoo's DNS servers? Yahoo. If you're going to connect to Google, their web server is going to see your full IP address. Why does it matter if their DNS server might also see part of it a few milliseconds beforehand?
Google's DNS server isn't going to see your Yahoo traffic or your joeblogs.com traffic, it's only going to see your Google traffic in which case Google was going to see your IP address anyway. Making the distinction between Google's DNS server and Google's webserver seeing your IP address makes no sense here. The info obtained by the DNS server is a subset of the info obtained by the web server.
The relevant party here is Google or Yahoo a whole. Are you trying to say that Yahoo's yahoo.com authoritative DNS servers and Yahoo's web servers count as separate parties for privacy purposes?
For smaller websites this can actually be true as they may not manage their own DNS and so there is another party here (probably their hosting provider who can sniff all their traffic anyway). But nobody here is accusing smaller websites and their DNS providers of trying to enslave the world with a DNS RFC.
DNS blacklists are very very far away from the nonsensical privacy concerns all over this thread. You are correct, if you do your blacklist lookups through a 3rd party resolver which implements this optional extension then the blacklist provider may find out your/24 for any lookups you do that aren't in the resolver's cache already. If that bothers you, use a different resolver or use the opt-out mechanism which signals to the resolver not to pass any information but it seems odd to me that someone trusts their 3rd-party DNS resolver (who gets to see all your queries) more than they trust the blacklist provider (who might get to see some obfuscated queries).
The other examples do no involve addresses and even for the blacklist example you put "address" in quotes, so I think you agree that there are no "OMG Google wants to know where I am and force me into an arranged marriage" issues here.
As for caching, read the RFC, it covers it. Caching is not thrown out. It does become harder for any resolver that implements the this optional extension, the cache key becomes (query, address_prefix) so you need a bigger cache, however the resolver is in control of how big or small an address_prefix it sends. That's the trade off for giving better answers to your users.
The whole thing is a non-event if you run a resolver at home or in a small office. As long as the resolver is networkologically close to its users there is no need to bother with this extension. Even if you run a massive world-spanning resolver, you can ignore this extension if you like and continue to give your users crappy results.
The only people who will implement this are geographically diverse DNS providers and geographically diverse content providers - it just helps them play well together.
If you don't trust the website then why are you trying to connect to it?
Who said that only web sites use DNS? There's a lot more internet out there than you see on the world wide web. Most of it uses DNS resolution.
And is there any service where you do an address lookup and then toss the result without sending anything to the resulting IP address?
Yes there's more than http but the same model applies to all services that use DNS for address lookup, you eventually send something to the address that you looked up and the server can then see your full IP address
Maybe I'm misunderstanding this, but it sounds like this DNS "fix" will require that before I can read web sites I have to submit some information about my location.
You absolutely are misunderstanding it (or rather you are correctly understanding most of the posts here but they have little to do with the real proposal). You will not have to submit anything before doing anything. Nobody is getting any extra information here. If you think websites don't already know where you are, think again!
In terms of telephone calls, DNS is the telephone directory service. You want to phone www.google.com, so you phone.com and ask them for the google.com number. Then you phone google.com and ask them for the www.google.com number. Because google has branches of www all over the country, they give you a number for www in your local area, so the call is cheaper and better line quality. They can do this because they can see your caller id so they know roughly where you live.
Now lets say you don't like having to do so many steps all the time so you use a 3rd party service, let's call it ultraphone. You always ring the same number for ultraphone and they perform all the steps and give you back the final answer. The problem is that the google.com now sees ultraphone's caller id not yours so you get back a number that's in ultraphone's home-town not your home-town.
This proposed extension just allows ultraphone to tell google "I'm calling on behalf of please give me the number you would give them".
So you get a number that's local for you instead of one that's local for ultraphone.
The problem that is being fixed here is that ultraphone saves you hassle while getting the phone number but it gets you a bad phone number (not a wrong one just not the best one for you). Right now you have to decide which you prefer, fast lookups with sub-optimal results or awkward lookups with optimal results.
This extension lets you have fast lookups with optimal results.
Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway. This extension just changes when it sees it. Right now if you use a 3rd party DNS provider it gets your IP too late to do good load balancing and that hurts users and may consume extra bandwidth.
Chances are that if you don't know about this stuff then you're using your ISP's DNS service and for some big ISPs that may mean a server hundreds of miles away, giving you sub-optimal answers.
My guess is google wants to use it to better target ads. I can see the server goind "oh that ip address is on main street - lets show them the ad for the restaurant that's just down the street".
But as you said above
The ip you're looking up gets this info as soon as you connect anyway.
So they can target the ad perfectly well already
Where this benefits google and other websites is that people who use ultradns, opendns or just an ISP that has a small number of resolvers for a large geographic area will get correctly load balanced.
Where this benefits ultradns, opendns and google public dns is that people will stop complaining that youtube gets slow when they use one of these public resolvers and so people will be happier to use them.
There are at most 3 other parties involved: your ISP, your DNS resolver (if you don't manage that yourself) and the website (if the website does not run its own DNS service there is a one more party but it's probably the website's hosting provider which could sniff all of their traffic anyway).
With or without this extension all 3 of these other parties have access to your IP address and can prevent you from accessing the site.
If you think I'm still missing the point, please give an example where this extension enables some other interested party to snoop or block you.
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests. 2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
Whoever wrote that page about dinosaurs and gravity obviosuly never saw the Horizon program (BBC Science program, can't remember what it's called in the US, maybe "Nova") on the "Natural History of an Alien".
They made a very interesting point about worlds with stronger gravity than earth. As gravity increases, so does air density and it increases in such a way that in a higher gravity environment the increase in air density is enough to allow even bigger flying creatures despite the stronger gravity.
For flying creatures, lifting force will increase as the square of the force of gravity.
So his point about bigger flying creatures needing weaker gravity is in error.
Bigger flying creatures implies stronger gravity, which kinda messes up his argument.
(If you didn't read the page, he's arguing that the existence of enormous dinosaurs implies that gravity was a weaker force in pre-history)
No need for reverse engineering, if it gets to court, the source code would be part of the evidence. If the source code they present as "the real source" compiles a binary that's identical to the one they're distributing, then this is almost surely the real source code (except maybe for comments and macros). If the binaries differ then they're lying about the source code.
Linux is no where near as bad. Most of the problems apply only to NT and are either non-issues or have a simple workaround for Linux (and BSD I presume)
>2. Installing Windows NT where it doesn't belong > > Ditto
It's possible for different versions of linux to share files either on a local disk or via nfs.
>3. Choosing the wrong file system > > Ditto
Linux can read so many different file systems (maybe including NTFS?) This is a limitiation of NT
>4. No emergency repair disk > > Ditto, especially Linux.
You can easily make one on another PC, all you need is Linux or Dos. You don't have to hose the whole system
>6. Missing a key network component > > Ditto
The guy advocates setting up a guest account so you can share files - great security model!
>7. Forgetting the password > > Ditto
No - just boot into single user mode (type "linux single" at the LILO prompt) and set a new root password. Again, no hosing the machine and losing all your data!
>8. Using older applications > > Ditto (ie. libc and glib)
Yeah kindof, but you could just recompile in many cases.
> 10. Cloning Windows NT > >Ditto
why can't you clone linux installs. if the hardware is identical and you use some sort of dynamic IP address allocation (or just change the IP address after cloning) then there's no problem.
Good article and I think I can answer your closing questions
Who put these arrogant movie chain execs and clerks in charge of our movie-making decisions?
You (collectively) did and what's worse is that you tell them that their making the right decisions every time you buy a ticket. You need to boycott. Missing a couple of films on the big screen will be a small price to pay for regaining your freedom.
What gives them the right to interfere with our ability to decide what our kids can see?
They own the cinema. You can't claim to be a libertarian if you then want to control how people use their own property. If the cinema chain thinks it's in its best interest to enforce ridiculous rules then tough, buy your own cinema.
Brainfart... Is there a local "indie" cinema? Would they be interested in helping by letting people vote with their feet and watch big movies on their screen. They'd probably be on your side. Of course they'd probably be screwed by the distributors if they tried...
If you're not going to do anything then stop whingeing (unless the article is a call to arms, of course.)
In a democracy the people get exactly what the people deserve.
If they wanted to use cross platform GUI with perl then Perl/Tk would be the obvious choice. What would be even cooler is if they were to work on porting perl/GTK to windows. I've used Tk under linux and windows and it is lacking some stuff that pelr/GTK has.
Fair enough but I think it would be quite tricky to specify the changes correctly as the GPL is quite complex and self-referential.
If I was RMS I would specifically prohibit distribution of the GPL with software which is not licensed under the GPL (or maybe something subtler than that). That way anyone who decided to make a license which subverts the GPL would not be allowed include a copy of the GPL with their software and therefore would not be able to include a full copy of the license agreement!
It says that also (in clause 0 it says you must include a copy of the GPL with any copy of the source code) What I am talking about is the fact the the text of the GPL is also a piece of intellectual property which is owned by the FSF. Have a read of the preamble. This describes how you may use the license and it says you may not make any changes to it. You will also notice their copyright notice at the top of the page.
The GPL does contain a statement saying that it cannot be modified for other use: Quote from the Preamble of the GPL
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
This means if you want a less restrictive license then you have to put the effort in and write the whole thing yourself. The text of the GPL is not copylefted.
In this case though, the guy wants to write what is effectively a compiler. So to say that the output is GPLed means that all gcc output is GPLed too.
What about all the people who have been killed and injured by drunks. Can they sue breweries.
I mean, the linkbetween violence/stupidity and alcohol is a hell of a lot stranger than it is with porn/movies/games.
If a girl wears a short skirt and a man is so busy looking at her that he crashes his car into a shop, obviously he can't sue her, but by the logic in the article, the shop could sue her.
Short skirts are just as legal as beer and porn and movies and games. This case would be a pretty bad precedent!
Slashdot Mirror
Yes, somebody IS getting "extra information", because now the DNS does not generally know the IP ("caller id") of whoever is making the request.
As I said,
Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway.
Who runs Google's DNS servers? Google. Who runs Yahoo's DNS servers? Yahoo. If you're going to connect to Google, their web server is going to see your full IP address. Why does it matter if their DNS server might also see part of it a few milliseconds beforehand?
Google's DNS server isn't going to see your Yahoo traffic or your joeblogs.com traffic, it's only going to see your Google traffic in which case Google was going to see your IP address anyway. Making the distinction between Google's DNS server and Google's webserver seeing your IP address makes no sense here. The info obtained by the DNS server is a subset of the info obtained by the web server.
The relevant party here is Google or Yahoo a whole. Are you trying to say that Yahoo's yahoo.com authoritative DNS servers and Yahoo's web servers count as separate parties for privacy purposes?
For smaller websites this can actually be true as they may not manage their own DNS and so there is another party here (probably their hosting provider who can sniff all their traffic anyway). But nobody here is accusing smaller websites and their DNS providers of trying to enslave the world with a DNS RFC.
DNS blacklists are very very far away from the nonsensical privacy concerns all over this thread. You are correct, if you do your blacklist lookups through a 3rd party resolver which implements this optional extension then the blacklist provider may find out your /24 for any lookups you do that aren't in the resolver's cache already. If that bothers you, use a different resolver or use the opt-out mechanism which signals to the resolver not to pass any information but it seems odd to me that someone trusts their 3rd-party DNS resolver (who gets to see all your queries) more than they trust the blacklist provider (who might get to see some obfuscated queries).
The other examples do no involve addresses and even for the blacklist example you put "address" in quotes, so I think you agree that there are no "OMG Google wants to know where I am and force me into an arranged marriage" issues here.
As for caching, read the RFC, it covers it. Caching is not thrown out. It does become harder for any resolver that implements the this optional extension, the cache key becomes (query, address_prefix) so you need a bigger cache, however the resolver is in control of how big or small an address_prefix it sends. That's the trade off for giving better answers to your users.
The whole thing is a non-event if you run a resolver at home or in a small office. As long as the resolver is networkologically close to its users there is no need to bother with this extension. Even if you run a massive world-spanning resolver, you can ignore this extension if you like and continue to give your users crappy results.
The only people who will implement this are geographically diverse DNS providers and geographically diverse content providers - it just helps them play well together.
If you don't trust the website then why are you trying to connect to it?
Who said that only web sites use DNS? There's a lot more internet out there than you see on the world wide web. Most of it uses DNS resolution.
And is there any service where you do an address lookup and then toss the result without sending anything to the resulting IP address?
Yes there's more than http but the same model applies to all services that use DNS for address lookup, you eventually send something to the address that you looked up and the server can then see your full IP address
If you think I'm wrong, please give an example.
Maybe I'm misunderstanding this, but it sounds like this DNS "fix" will require that before I can read web sites I have to submit some information about my location.
You absolutely are misunderstanding it (or rather you are correctly understanding most of the posts here but they have little to do with the real proposal). You will not have to submit anything before doing anything. Nobody is getting any extra information here. If you think websites don't already know where you are, think again!
In terms of telephone calls, DNS is the telephone directory service. You want to phone www.google.com, so you phone .com and ask them for the google.com number. Then you phone google.com and ask them for the www.google.com number. Because google has branches of www all over the country, they give you a number for www in your local area, so the call is cheaper and better line quality. They can do this because they can see your caller id so they know roughly where you live.
Now lets say you don't like having to do so many steps all the time so you use a 3rd party service, let's call it ultraphone. You always ring the same number for ultraphone and they perform all the steps and give you back the final answer. The problem is that the google.com now sees ultraphone's caller id not yours so you get back a number that's in ultraphone's home-town not your home-town.
This proposed extension just allows ultraphone to tell google "I'm calling on behalf of please give me the number you would give them".
So you get a number that's local for you instead of one that's local for ultraphone.
The problem that is being fixed here is that ultraphone saves you hassle while getting the phone number but it gets you a bad phone number (not a wrong one just not the best one for you). Right now you have to decide which you prefer, fast lookups with sub-optimal results or awkward lookups with optimal results.
This extension lets you have fast lookups with optimal results.
Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway. This extension just changes when it sees it. Right now if you use a 3rd party DNS provider it gets your IP too late to do good load balancing and that hurts users and may consume extra bandwidth.
Chances are that if you don't know about this stuff then you're using your ISP's DNS service and for some big ISPs that may mean a server hundreds of miles away, giving you sub-optimal answers.
My guess is google wants to use it to better target ads. I can see the server goind "oh that ip address is on main street - lets show them the ad for the restaurant that's just down the street".
But as you said above
The ip you're looking up gets this info as soon as you connect anyway.
So they can target the ad perfectly well already
Where this benefits google and other websites is that people who use ultradns, opendns or just an ISP that has a small number of resolvers for a large geographic area will get correctly load balanced.
Where this benefits ultradns, opendns and google public dns is that people will stop complaining that youtube gets slow when they use one of these public resolvers and so people will be happier to use them.
There are at most 3 other parties involved: your ISP, your DNS resolver (if you don't manage that yourself) and the website (if the website does not run its own DNS service there is a one more party but it's probably the website's hosting provider which could sniff all of their traffic anyway).
With or without this extension all 3 of these other parties have access to your IP address and can prevent you from accessing the site.
If you think I'm still missing the point, please give an example where this extension enables some other interested party to snoop or block you.
On your point about the Iran point...I think there is still the issue of intermediate servers sending "domain doesn't exist" messages to Libyan requests before the packet even reaches the intended destination.
What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.
If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).
If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.
Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.
Well, the summary lists two ways that this could be used for "evil":
1) Or it would allow any interested party to look at your DNS requests.
2) Or it would send a user from Iran or Libya to a "domain name doesn't exist" server.
Violating privacy and enabling censorship have no place in the Western world.
You are assuming that the summary bears any relation to reality!
The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.
What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?
On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.
Fair enough, sort of...
"Collapse under load" what are you talking about? Any chance of a link to anything that might substantiate that...?
Whoever wrote that page about dinosaurs and gravity obviosuly never saw the Horizon program (BBC Science program, can't remember what it's called in the US, maybe "Nova") on the "Natural History of an Alien".
They made a very interesting point about worlds with stronger gravity than earth. As gravity increases, so does air density and it increases in such a way that in a higher gravity environment the increase in air density is enough to allow even bigger flying creatures despite the stronger gravity.
For flying creatures, lifting force will increase as the square of the force of gravity.
So his point about bigger flying creatures needing weaker gravity is in error.
Bigger flying creatures implies stronger gravity, which kinda messes up his argument.
(If you didn't read the page, he's arguing that the existence of enormous dinosaurs implies that gravity was a weaker force in pre-history)
Anyone remember Chris Morris from these TV shows? I won't say any more in case I ruin the surprise...
No need for reverse engineering, if it gets to court, the source code would be part of the evidence.
If the source code they present as "the real source" compiles a binary that's identical to the one they're distributing, then this is almost surely the real source code (except maybe for comments and macros). If the binaries differ then they're lying about the source code.
sorry, ignore that nonsense!
Everything you have said is true but the whole point of the discussion is that the Artistic License allows someone to fork and keep the source secret!
Who tagged this as "insightful"?
Linux is no where near as bad. Most of the problems apply only to NT and are either non-issues or have a simple workaround for Linux (and BSD I presume)
>2. Installing Windows NT where it doesn't belong >
> Ditto
It's possible for different versions of linux to share files either on a local disk or via nfs.
>3. Choosing the wrong file system
>
> Ditto
Linux can read so many different file systems (maybe including NTFS?) This is a limitiation of NT
>4. No emergency repair disk
>
> Ditto, especially Linux.
You can easily make one on another PC, all you need is Linux or Dos. You don't have to hose the whole system
>6. Missing a key network component
>
> Ditto
The guy advocates setting up a guest account so you can share files - great security model!
>7. Forgetting the password
>
> Ditto
No - just boot into single user mode (type "linux single" at the LILO prompt) and set a new root password. Again, no hosing the machine and losing all your data!
>8. Using older applications
>
> Ditto (ie. libc and glib)
Yeah kindof, but you could just recompile in many cases.
> 10. Cloning Windows NT
>
>Ditto
why can't you clone linux installs. if the hardware is identical and you use some sort of dynamic IP address allocation (or just change the IP address after cloning) then there's no problem.
You (collectively) did and what's worse is that you tell them that their making the right decisions every time you buy a ticket. You need to boycott. Missing a couple of films on the big screen will be a small price to pay for regaining your freedom.
They own the cinema. You can't claim to be a libertarian if you then want to control how people use their own property. If the cinema chain thinks it's in its best interest to enforce ridiculous rules then tough, buy your own cinema.
Brainfart
If you're not going to do anything then stop whingeing (unless the article is a call to arms, of course.)
In a democracy the people get exactly what the people deserve.
If they wanted to use cross platform GUI with perl then Perl/Tk would be the obvious choice.
What would be even cooler is if they were to work on porting perl/GTK to windows. I've used Tk under linux and windows and it is lacking some stuff that pelr/GTK has.
Fair enough but I think it would be quite tricky to specify the changes correctly as the GPL is quite complex and self-referential.
If I was RMS I would specifically prohibit distribution of the GPL with software which is not licensed under the GPL (or maybe something subtler than that). That way anyone who decided to make a license which subverts the GPL would not be allowed include a copy of the GPL with their software and therefore would not be able to include a full copy of the license agreement!
It says that also (in clause 0 it says you must include a copy of the GPL with any copy of the source code)
What I am talking about is the fact the the text of the GPL is also a piece of intellectual property which is owned by the FSF.
Have a read of the preamble. This describes how you may use the license and it says you may not make any changes to it. You will also notice their copyright notice at the top of the page.
This means if you want a less restrictive license then you have to put the effort in and write the whole thing yourself. The text of the GPL is not copylefted.
In this case though, the guy wants to write what is effectively a compiler. So to say that the output is GPLed means that all gcc output is GPLed too.
don't give them any ideas!
What about all the people who have been killed and injured by drunks. Can they sue breweries.
I mean, the linkbetween violence/stupidity and alcohol is a hell of a lot stranger than it is with porn/movies/games.
If a girl wears a short skirt and a man is so busy looking at her that he crashes his car into a shop, obviously he can't sue her, but by the logic in the article, the shop could sue her.
Short skirts are just as legal as beer and porn and movies and games. This case would be a pretty bad precedent!
It's the parents of the victims who are suing!